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ABSTRACT 


As the Information Age emerges to become the next great technological 
movement of modem civilization, the passion for information dominance will ultimately 
lead to the possession of information superiority, yet inferiority could prevail in the same 
breath if not carefully examined. Unlike wars of the past, however, the Department of 
Defense (DoD) faces a new dimension to modem warfare, against a novel adversary: the 
faceless foe. This faceless foe can come from abroad, domestically, and even within our 
own seemingly secure, yet vulnerable infrastructure. As modem society continues to 
move forward with the “latest high-tech gadget” or “cutting edge” technology, 
information still prevails. With increased wants and needs for information comes the 
associated risks and vulnerabilities of information management as people (and 
organizational procedure) can work against you and/or your information management and 
protection schemes. 

With the rapid growth of the internet and the expansion of the Global Information 
Grid (GIG), the US military and DoD agencies have unfortunately become the prime 
targets of numerous attacks from threats, both within and beyond the confines of the 
United States. The internet growth has also led to internet dependencies that will most 
likely continue to grow as well. Global awareness and standard operating procedures 
need to be incorporated by all users within these boundaries to provide the DoD with the 
assurance that their information will not be compromised, or perhaps sold to our 
adversaries. 

The objective of this thesis is to assess the People and Organizational (P-0) 
aspect of secure network environments with respect to the current standards and 
procedures that the DoD implements toward protecting network infrastructures. This 
thesis aims to revitalize Information Assurance training standards and implement best 
practice methods to address the people (as users) and organizational procedures (as 
operating environment) influences within the DoD structure on information security. 
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I. 


INTRODUCTION 


A. OVERVIEW 

As the Information Age emerges to become the next great technological 
movement of modem civilization, the passion for information dominance will ultimately 
lead to the possession of information superiority, yet inferiority could prevail in the same 
breath if not carefully examined. During the Cold War era, the Department of Defense 
(DoD) was fully engaged in a massive nuclear arms race with a well known enemy, like 
that of the former Soviet Union, in order to preserve national security. Likewise, with the 
recent technological advances and the speedy growth of the Internet, we are now entering 
a new race for national security or in some cases, business enterprise security; both 
include the race for superior information management. Unlike wars of the past, the DoD 
faces a new dimension to modem warfare against a novel adversary: the faceless foe. 

This faceless foe can come from abroad, domestically, and even within our own 
seemingly secure, yet vulnerable infrastructure. As modern society continues to move 
forward with the “latest high-tech gadget” or “cutting edge” technology, information still 
prevails. With increased wants and needs for information comes the associated risks and 
vulnerabilities of information management as people (and organizational procedure) can 
work against you and/or your information management and protection schemes. 

Currently, the Department of Defense (DoD) is struggling with managing 
information flow. As the DoD information infrastructure grows on a daily basis, constant 
cyber-attacks, cyber-crimes and exploitations are being uncovered at an alarming rate.i 
So with that being said, many questions about DoD Information Assurance (lA) and 
Operations Security (OPSEC) effectiveness come to the surface. For example, are 
current computer network defense procedures and principles meeting the mark in 
safeguarding government installations from cyber crimes/attacks? Perhaps, the principal 
interest may be that computer network defense procedures and principles are in position, 

1 Internet Crime Complaint Center (IC^), 2007 Internet Crime Report, National White Collar Crime 
Center: Federal Bureau of Investigation (FBI). Washington D.C. 2007. 
http://www.nw3c.org/research/site files.cfm?mode=p (Last accessed 05 September 2008). 
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but rather the people (users) are the ones inducing the tribulations and vulnerabilities 
within the DoD information infrastructure. 

With the rapid growth of the internet and the expansion of the Global Information 
Grid (GIG), the US military and DoD agencies have unfortunately become the prime 
targets of numerous attacks from threats, both within and beyond the confines of the 
United States. The internet growth has also led to internet dependencies that will most 
likely continue to grow. Global awareness and standard operating procedures need to be 
incorporated by all users within these boundaries to provide the DoD with the assurance 
that their information will not be compromised, or perhaps sold to our adversaries. The 
Commander in Chiefs National Strategy to Secure Cyberspace'^ and the NETWARCOM 
mission (to create war-fighting and business options for the Fleet to fight and win in the 
information age)3 address numerous protection areas that require critical analysis and 
revision or modifications to establish “best practice” rule sets to provide a more secure 
network environment. This thesis explores new approaches towards Information 
Assurance (lA) training and the necessary best practice methods to address the people (as 
users) and organizational procedures (as operating environment) influences within the 
DoD structure on information security. 

B. OBJECTIVE 

The underlying factor gamering all the elements of information management is 
the influence of the people who create and/or use information. People influence the array 
of information we desire and intend to use, whether in the military or civilian market. 
People are the operators of the computers, machines or devices, influencing what is 
produced, collected, disseminated, interpreted, and ultimately acted upon to make 
decisions. People are also the foundations of potential strengths and weaknesses within a 
given network or information infrastructure. In the end, people are the ancestral roots of 


^ President of the United States, The National Strategy to Secure Cyberspace. United States; The 
White House, Washington D.C. 2003. 

http://www.dhs.gov/xlibrarv/assets/National Cyberspace Strategv.pdf (Last accessed 05 September 2008) 
^ Naval Network Warfare Command (NETWARCOM) Strategic Plan 2006-2010 (Version 2.1), 
NETWARCOM, Norfolk, VA. 1 November 2007. http://www.netwarcom.navv.mil/ (Last accessed 16 
July 2008). 


2 





information management (good or bad) and their influenee inherently frames the nature 
and effeetiveness of how an infrastrueture or installation envisions information seeurity. 

The objeetive of this thesis is to assess the People and Organizational (P-0) 
aspeet of seeure network environments with respeet to the eurrent standards and 
proeedures that the Department of Defense implements toward proteeting network 
infrastruetures. To be more speeifie, how will the DoD revive Information Assuranee 
training standards and assure a “best praetiee” model that streamlines proeedures while at 
the same time minimizing the potential for eompromising integrity related to eritieal 
information flow? Finally, how ean we be assured of a sustained safe level of network 
operations in support of eritieal mission requirements? 

C. METHODOLOGY 

To assess the impaet of the P-0 influenee on the DoD infrastrueture, an in-depth 
literature review (proeedures, doetrines, and standards), internet searehes, ete. were 
eondueted. The literature review ineluded DoD Publieations relating to the P-0 influenee 
on networks sueh as DoD Directive 8500.1 & 8500.2: lA and Implementation, JP 3-13: 
Joint Doctrine for Information Operations, CSI/FBl Computer Crime and Security 
Survey, Department of Justice, JP 3-54: Joint Doctrine for Operations Security, The 
National Security Strategy to Secure Cyberspace, additional DoD publieations and 
various artieles and non-DoD publieations. Additionally, the literature review explored 
the eurrent standards used to govern & mandate DoD and eommereial personnel, 
installations and infrastruetures to preserve the integrity of our information sourees. Sueh 
doeuments ineluded: NIST 800-18: National Institute of Standards and Technology, 
FlPS-199: Information Processing Standards Publication, DCID 6/3: Director of 
Central Intelligence Directive, DoD Directive 5200.40: DITSCAP, and other thesis, 
reports, or documentation relating to the P-0 influence and the relationships between the 
P-0 influence and information assurance policies and practices. Lastly, the analysis 
identifies the major players involved in the struggle for preserving information 
management. 
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Next, the analysis examined the information management dilemma, established a 
baseline addressing areas of concern and interest with respect to enhancing the 
People/User role in attaining a safe information infrastructure. Additionally, current 
practices and techniques utilized to uphold DoD and commercial information 
infrastructures were investigated. 

Finally, using all described information sources, current DoD measures were 
critically analyzed to illustrate how the DoD and the various governmental agencies 
could potentially establish a safe-user infrastructure model to thwart exploits and attacks 
from ongoing cyber attacks/crimes. Best practices, DoD and commercial techniques 
were evaluated to develop a conceptual design for streamlining the people/user effects 
(including second and third order effects) to a network infrastructure. Following 
evaluation and assessment, the analysis will be used to develop performance metrics for 
testing and evaluation in order to validate the best information management practices that 
can be employed in DoD installations or infrastructures to deter corruption from within a 
network. 

D. THESIS ORGANIZATION 

This thesis consists of six chapters with respect to the People and Organizational 
criterion effect on network security and with focused emphasis on DoD Information 
Assurance (lA) and OPSEC. Chapter II examines the history, origins, terms & 
definitions, and all pertinent documents/publications currently in use with respect to the 
P-0 aspect towards minimizing loss or damages to the DoD network or information 
infrastructure. Furthermore, Chapter II also discusses the role of the various federal 
agencies and DoD branches through lA and OPSEC. Chapter III focuses on the insider 
threat as a specific area of concern. In addition. Chapter III investigates and analyzes the 
Eederal Information Security Management Act (EISMA) report(s) used to evaluate the 
various governmental departments. Chapter IV proposes a revitalized approach to the 
current lA awareness training and introduces an lA best practice rule set to be further 
implemented toward all installations to counter inside/outside cyber attacks. Chapter V 
investigates and makes recommendations based on the two lA approaches from Chapter 

IV with respect to the P-0 aspect. Additionally, Chapter V looks to bring forth the 
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potential to alleviate risks and vulnerabilities by introducing a Safe-User model and 
metrics for evaluation and concepts for network protection success. Chapter VI provides 
conclusions and recommendations for future work. The final chapter also expands on 
those informational areas involving the Information Operations (10) areas that consist of 
Computer Network Defense, Information Assurance and/or Operational Security. 
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II. LITERATURE REVIEW 


A. INTRODUCTION 

The documents cited in this chapter represent only an elite selection of the various 
works studied and referenced throughout the remainder of this thesis. Each principle 
source is critiqued with a brief synopsis describing the guidance and purpose for 
information management features with respect to aspects that address the influence of the 
people and organizational procedures. Lastly, Chapter II focuses on defending the notion 
that current standards, policies and procedures are abundant, and often redundant, 
constantly re-emphasizing similar best practice principles, both in the federal and civilian 
sphere of influence. 

The blueprint for Chapter II is to explore the function of Information Operations 
and the various security elements 10 encompasses. Next, the various DoD Publications 
relating to the People-Organizational Influence are examined, followed by the standards 
used to govern and mandate DoD and Commercial Infrastructures. Lastly, a depiction of 
the cyber-players involved is included to show the enormity of this growing problem with 
cyber security with respect to the people or organizational influence. 

B. INFORMATION OPERATIONS 

Information is a strategic resource, vital to national security, and military 
operations depend on information and information systems for many simultaneous and 
integrated activities. Joint Publication 3-13: Information Operations, is the governing 
doctrine that categorizes the role of Information Operations (10) in today’s environment 
to help combatant commanders prepare, plan, execute, and assess 10 in support of joint 
operations. 
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JP-3-13 defines 10 as: 


The integrated employment of electronic warfare (EW), computer network 
operations (CNO), psychological operations (PSYOP), military deception 
(MILDEC), and operations security (OPSEC), in concert with specified 
supporting and related capabilities, to influence, disrupt, corrupt, or usurp 
adversarial human and automated decision making while protecting our 
own .4 

The overall goal is to achieve information superiority for the United States and its 

coalition partners. As per U.S. Air Eorce Doctrine Document 2-5: Information 

Operations, information superiority is defined as: 

The degree of dominance in the information domain which allows friendly 
forces the ability to collect, control, exploit, and defend information 
without effective opposition.^ 

The focus of this thesis expands on computer network operations (CNO) and 
operations security (OPSEC) concepts, two of the five core 10 capabilities, with heavy 
emphasis on Information Assurance (lA), one of five supporting 10 capabilities. One can 
view 10 via these three capabilities as a wire mesh. Throughout the mesh, paths will 
cross and uncross creating a linked-network, but in the end a common goal is desired. 
The goal in this case is, through robust information infrastructure, policy and procedure 
to attain superiority of information and to assure the flow of information as a key enabler 
to command and control. The work here has a focus that expands beyond external threats 
to considerations of “protecting our own” infrastructures from being exploited and 
corrupted via various threats, both internal and external. 


4 Joint Publication (JP) 3-13: Information Operations (10), United States: Chairman, Joint Chiefs of 
Staff, Washington, D.C. February 13, 2006,1-l. 

^ Air Force Doctrine Document 2-5: Information Operations, United States: Department of Defense, 
Washington D.C. 11 January 2005, 1. 
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Many of the capabilities of Information Operations interact with one another as 
described above. The table below illustrates the 10 capabilities divided between the Core, 
Supporting and Related capabilities emphasizing (highlighted yellow) the three facets of 
10 (CNO, OPSEC, and lA) for this thesis.^ 


Information Operations (lO) Capabilities 

Core 

Supporting 

Related 

Electronic Warfare 
(EW) 

Information Assurance 
(lA) 

Civil Military Operations 
(CMO) 

Computer Network 
Operations (CNO) 

Physical Attack 

Public Affairs 
(PA) 

Psychological Operations 
(PSYOP) 

Physical Security 

Defense Support to Public 
Diplomacy (DSPD) 

Military Deception 
(MIEDEC) 

Counter Intelligence 
(Cl) 


Operations Security 
(OPSEC) 

Combat Camera 
(COMCAM) 



Table 1. Information Operations (10) Capabilities 


1. Computer Network Operations (CNO) 

CNO is one of the latest capabilities developed in support of military operations. 
CNO stems from the increasing use of networked computers and supporting IT 
(Information Technology) infrastructure systems by military and civilian organizations.^ 
CNO is divided into three main sub-categories: CNA (Computer Network Attack), CNE 
(Computer Network Exploitation), and lastly CND (Computer Network Defense). The 
three CNO categories are described below: ^ 

• CNA consists of actions taken through the use of computer networks to 
disrupt, deny, degrade, or destroy information resident in computers and 
computer networks, or the computers and networks themselves. 


6 Joint Publication (IP) 3-13; Information Operations, 1-1. 

7 Ibid., II-4. 

8 Ibid. 
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• CNE is enabling operations and intelligence collection capabilities conducted 
through the use of computer networks to gather data from target or adversary 
automated information systems or networks. 

• CND involves actions taken through the use of computer networks to protect, 
monitor, analyze, detect, and respond to unauthorized activity within DoD 
information systems and computer networks. CND actions not only protect 
DoD systems from an external adversary but also from exploitation from 
within, and are now a necessary function in all military operations. 

2. Operations Security (OPSEC) 

OPSEC is the process of identifying critical information and subsequently 
analyzing friendly actions and other activities to: identify what friendly information is 
necessary for the adversary to have sufficiently accurate knowledge of friendly forces and 
intentions; deny adversary decision makers critical information about friendly forces and 
intentions; and cause adversary decision makers to misjudge the relevance of known 
critical friendly information because other information about friendly forces and 
intentions remain secure.^ 

3. Information Assurance (lA) 

lA is defined as measures that protect and defend information and information 
systems by ensuring their availability, integrity, authentication, confidentiality, and non¬ 
repudiation. This includes providing for restoration of information systems by 
incorporating protection, detection, and reaction capabilities.'O As per Joint Pub 3-13, lA 
is necessary to gain and maintain information superiority. Eurthermore, lA is assured in 
DoD systems by imposing requirements for a defense-in-depth approach that integrates 
the capabilities of people, operations, and technology to establish multilayer and 
multidimensional protection to ensure survivability and mission accomplishment. lA 

9 Joint Publication (JP) 3-54: Operations Security (OPSEC), United States: Chairman, Joint Chiefs of 
Staff, Washington D.C. 2006,1-l. 

DoD Directive 8500.OlE: Information Assurance (lA). United States: Department of Defense, 
Washington D.C. 23 April 2007, 17. 
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must assume that access can be gained to information and information systems from 
inside and outside DoD-controlled networks d' 

The Committee of National Security Systems (CNSS) defines the key terms 
commonly used for Information Assurance. Confidentiality, Integrity, and Availability 
(C.I.A.) are the three most commonly used lA attributes. These key terms and others are 


described below. 12 


Information Assurance (lA) Key Terminology 

Confidentiality 

Assurance that information is not disclosed to unauthorized 
individuals, processes, or devices. 

Integrity 

Quality of an Information System reflecting the logical 
correctness and reliability of the operating system; the logical 
completeness of the hardware & software; and the consistency 
of the data structures and occurrence of the stored data. 

Availability 

Timely, reliable access to data and information services for 
authorized users. 

Authentication 

Security measure designed to establish the validity of a 
transmission, message, or originator, or a means of verifying 
an individual's authorization to receive specific categories of 
information. 

Non-Repudiation 

Assurance the sender of data is provided with proof of delivery 
and the recipient is provided with proof of the sender's identity, 
so neither can later deny having processed the data. 


Table 2. Information Assurance (lA) Key Terminology 


C. DOD PUBLICATIONS: PEOPLE-ORGANIZATIONAL (P-O) ASPECT 

I. DoD Directive 8500.IE: Information Assurance (lA) 

DoD Directive 8500. IE establishes the lA policy and assigns responsibilities to 
achieve DoD Information Assurance through a defense-in-depth approach that integrates 


Joint Publication (JP) 3-13; Information Operations, IT6. 

1^ CNSSI (Committee on National Security Systems Instruction) 4009: National Information 
Assurance Glossary, National Security Agency, Ft. Meade, MD, 2003, 4-34. 
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the capabilities of personnel, operations, and technology, and supports the evolution to 
network centric warfare. Below are a few key policies found in DoD 8500. IE: 

• All DoD information systems shall maintain an appropriate level of 
confidentiality, integrity, authentication, non-repudiation, and availability that 
reflect a balance among the importance and sensitivity of the information and 
information assets; documented threats and vulnerabilities; the trustworthiness 
of users and interconnecting systems; the impact of impairment or destruction 
to the DoD information system; and cost effectiveness. 

• Interoperability and integration of lA solutions within or supporting the DoD 
shall be achieved through adherence to an architecture that will enable the 
evolution to network centric warfare by remaining consistent with the C4I, 
ISR architecture framework, and a defense in-depth approach. 

• The DoD shall organize, plan, assess, train for, and conduct the defense of 
DoD computer networks as integrated computer network defense (CND) 
operations that are coordinated across multiple disciplines. 

• Information assurance readiness shall be monitored, reported, and evaluated 
as a distinguishable element of mission readiness throughout all the DoD 
Components, and validated by the DoD CIO (Chief Information Officer). 


DoD Directive 8500.01E: Information Assurance (lA), 3-4. 
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2 . 


DoD Directive 8500.2: Information Assurance Implementation 


DoD Directive 8500.2 describes the roles and responsibilities for a network 
information and knowledge manager, lA Officer, down to the everyday individual user. 
Mostly stressing the roles and responsibilities of the network manager, room still exists 
for improvement in the roles, responsibilities and consequences for everyday user. 
Additionally, 8500.2 lists and describes all lA Controls (divided between the C.I.A. 
categories) needed to be incorporated throughout an installation’s network security plan 
to enhance network security. a more precise description of a security plan is presented 
in section D.l. 


3. Joint Publication 3-13: Information Operations 

JP 3-13 is described above in Section A illustrating the various elements 
comprised of Information Operations. From the introduction of 10, each element can be 
further broken down by Core, Supporting and Related capability for a more enhanced 
understanding. CNO, OPSEC, and lA are the main focus in this thesis. 

4. The National Strategy to Secure Cyberspace 

The National Strategy to Secure Cyberspace was released in February 2003 by 
the President of United States to guide the DoD and the various agencies, in unison with 
the public and private sectors, to improve cyberspace related concerns. The National 
Strategy to Secure Cyberspace identified several major priorities needed for action: 

• Priority I: A National Cyberspace Security Response System. 

• Priority II: A National Cyberspace Security Threat and Vulnerability 
Reduction Program. 

• Priority III: A National Cyberspace Security Awareness and Training 
Program. 

DoD Directive 8500.2; Information Assurance (lA) Implementation. United States; Department of 
Defense, Washington D.C. 2003, 25. 

1^ President of the United States, The National Strategy to Secure Cyberspace, 3-4. 


13 



• Priority IV: Securing Governments’ Cyberspace. 

• Priority V: National Security and International Cyberspace Security 
Cooperation. 

Expanding from the five priorities listed above, The National Strategy to Secure 
Cyberspace specified explicit programs and initiatives requiring action in response to 
cyberspace security. Below lists the explicit actions with the associated priority: 

• Establish a public and private architecture for responding to national-level 
cyber incidents. (Priority I) 

• Exercise cybersecurity continuity plans for federal systems. (Priority I) 

• Enhance law enforcement’s capabilities for preventing and prosecuting 
cyberspace attacks. (Priority II) 

• Promote a comprehensive national awareness program to empower all 
Americans—businesses, the general workforce, and the general population— 
to secure their own parts of cyberspace. (Priority III) 

• Poster adequate training and education programs to support the Nation’s 
cybersecurity needs. (Priority III) 

• Increase the efficiency of existing federal cybersecurity training programs. 
(Priority III) 

• Continuously assess threats and vulnerabilities to federal cyber systems. 
(Priority IV) 

• Work with industry and through international organizations to facilitate 
dialogue and partnerships among international public and private sectors 
focused on protecting information infrastructures. (Priority V) 


President of the United States, The National Strategy to Secure Cyberspace, 19-52. 
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5. 


Joint Publication 3-54: Joint Doctrine for Operations Security 


Similar to the description given in section B.2., Operations Security (OPSEC) is a 
process of identifying critical information and subsequently analyzing friendly actions 
attendant to military operations to: 

• Identify those actions that can be observed by adversary intelligence systems. 

• Determine what indicators adversary intelligence systems might obtain that 
could be interpreted or pieced together to derive critical information in time to 
be useful to adversaries. 

• Select and execute measures that eliminate or reduce to an acceptable level the 
vulnerabilities of friendly actions to adversary exploitation. 

OPSEC’s most important characteristic is that it is a process and not a collection 
of specific rules and instructions that can be applied to every operation, Therefore, 
OPSEC and security programs must be closely synchronized to ensure that all features of 
sensitive operations are protected. 

D. STANDARDS USED TO GOVERN AND MANDATE DOD AND 

COMMERCIAL INFRASTRUCTURES 

I. NIST 800-18: National Institute of Standards and Technology, Guide 
for Developing Security Plans for Federal Information Systems 

The objective of NIST 800-18 is to lay the framework for system security 
planning for any installation in order to improve the protection of information system 
resources. All federal systems have some level of sensitivity and require protection as 
part of good management practice. The protection of a system must be documented in a 
system security plan. The purpose of the system security plan is to provide an overview 
of the security requirements of the system and describe the controls in place or planned 
for meeting those requirements. The system security plan also delineates responsibilities 
and expected behaviors of all individuals who access the system. The system security 

Joint Pub 3-54; Joint Doctrine for Operations Security (OPSEC), I-l. 

Ibid. 
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plan should be viewed as the documentation of the structured process of planning 
adequate, cost-effective security protection for a system, A system security plans 
includes: 

• Security requirements. 

• Current defensive postures. 

• Plans for future changes. 

• Responsibilities and expected behaviors of the users, administrators, and 
managers. 

2. FIPS Pub-199: Federal Information Processing Standards 

Publication, Standards for Security Categorization of Federal 
Information and Information Systems 

FIPS-199 is the mandatory standard to be used by all federal agencies to 
categorize all information and information systems collected or maintained by or on 
behalf of each agency based on the objectives of providing appropriate levels of 
information security according to impact (refer to Table 3 ).20 Security categorization 
standards for information and information systems provide a common framework and 
understanding for expressing security that the federal government promotes:^! 

• Effective management and oversight of information security programs, 
including the coordination of information security efforts throughout the 
civilian, national security, emergency preparedness, homeland security, and 
law enforcement communities. 

• Consistent reporting to the Office of Management and Budget (0MB) and 
Congress on the adequacy and effectiveness of information security policies, 
procedures, and practices. 


Pauline Bowen, Joan Hash and Marianne Swanson. NIST (National Institute of Standards and 
Technology) Special Publication 800-18, Information Security: Guide for Developing Security Plans for 
Federal Information Systems, United States: Department of Commerce, Gaithersburg, MD, 2006, vii. 

20 FIPS Pub-199, Federal Information Processing Standards Publication: Standards for Security 
Categorization of Federal Information and Information Systems, United States: Department of Commerce, 
Gaithersburg, MD, 2004, 6. 

21 Pauline Bowen, Joan Hash and Marianne Swanson, 2. 
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Below, Table 3 reviews the potential impact definitions for the three (C.I.A.) security 


objectives: 


Potential Impact for Security Objectives 

Security Objective 

Low 

Moderate 

High 

Confident! alitv 
Preserving authorized 
restrictions on information 
access and disclosure, 
including means for 
protecting personal privacy 
and proprietary 
information. 

[44 U.S.C., SEC. 3542] 

The unauthorized 
disclosure of information 
could be expected to 
have a limited adverse 
effect on organizational 
operations, 

organizational assets, or 
individuals. 

The unauthorized 
disclosure of 
information could be 
expected to have a 
serious adverse effect 
on organizational 
operations, 

organizational assets, or 
individuals. 

The unauthorized 
disclosure of information 
could be expected to have 
a severe or catastrophie 
adverse effect on 
organizational operations, 
organizational assets, or 
individuals. 

Integrity 

Guarding against improper 
information modification 
or destruction, and 
includes ensuring 
information non¬ 
repudiation and 
authenticity. 

[44 U.S.C., SEC. 3542] 

The unauthorized 
modification or 
destruction of 
information could be 
expected to have a 
limited adverse effect on 
organizational 
operations, 

organizational assets, or 
individuals. 

The unauthorized 
modification or 
destruction of 
information could be 
expected to have a 
serious adverse effect 
on organizational 
operations, 

organizational assets, or 
individuals. 

The unauthorized 
modification or 
destruction of information 
could be expected to have 
a severe or catastrophie 
adverse effect on 
organizational operations, 
organizational assets, or 
individuals. 

Availability 

Ensuring timely and 
reliable access to and use 
of information. 

[44 U.S.C., SEC. 3542] 

The disruption of access 
to or use of information 
or an information system 
could be expected to 
have a limited adverse 
effect on organizational 
operations, 

organizational assets, or 
individuals. 

The disruption of 
access to or use of 
information or an 
information system 
could be expected to 
have a serious adverse 
effect on organizational 
operations, 

organizational assets, or 
individuals. 

The disruption of access 
to or use of information or 
an information system 
could be expected to have 
a severe or catastrophic 
adverse effect on 
organizational operations, 
organizational assets, or 
individuals. 


Table 3. Potential Impact Definitions for Security Objectives 


3. Federal Information Security Management Act of 2002 (FISMA) 

The Federal Information Security Management Act of 2002, 44 U.S.C. § 3541, is 
a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 
emphasizing Information Security.^3 The act was meant to bolster computer and network 
security within the federal government and affiliated parties by mandating yearly audits. 


22 From: FIPS Pub-199, 2. 

23 United States Congress (107* Congress), H.R. 2458 Title III of the E-Government Act of 2002: 
Information Security, 44 U.S.C. § 3541, 2002. http://uscode.house.gov/download/pls/44C35.txt (Last 
accessed 20 August 2008). 
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FISMA has brought attention within the federal government to eyberseeurity 
whieh had previously been mueh negleeted. In February 2005, many government 
ageneies reeeived extremely poor marks on the offieial FISMA report eard, with an 
average of 67.3% for 2004, an improvement of only 2.3 pereentage points over 2003. 
Unfortunately, grades have not shown any substantial improvement showing signs of 
potential weaknesses. Chapter III will analyze the results of 0MB’s annual FISMA 
reports from 2005 and 2007. 

4. Director of Central Intelligence Directive, DCID 6/3: Protecting 
Sensitive Compartmented Information within Information Systems 
Manual 

United States intelligenee information uses the same three FISMA attributes that 
require proteetion: Confidentiality, Integrity, and Availability. The degree of emphasis on 
eaeh varies with the type of information proeessed and the mission of the organization 
responsible for the data. DCID 6/3 reeognizes the eontributions to seeurity made by 
operating environments, and allows the teehnieal safeguards of systems to be modified 

aecordingly.24 

5. DoD Directive 5200.40: Defense Information Technology Security 
Certification and Accreditation Process (DITSCAP) 

The Department of Defense Information Teehnology Seeurity Certifieation and 
Acereditation Proeess (DITSCAP) is the process defined by the United States 
Department of Defense (DoD) for managing risk. DITSCAP establishes a standard DoD- 
wide process with a set of activities, general tasks and a management structure to certify 
and accredit an Automated Information System (AIS) that will maintain the Information 
Assurance (lA) posture of the Defense Information Infrastructure (DII) throughout the 
system's life cycle. DITSCAP applies to the acquisition, operation and sustainment of 
any DoD system that collects, stores, transmits, or processes unclassified or classified 
information since December 1997.^5 

DCID 6/3, Director of Central Intelligence Directive 6/3: Protecting Sensitive Compartmented 
Information (SCI) within Information Systems Manual. 2000. 

DoD Instruction (DoDI) 5200.40: Defense Information Technology Security Certification and 
Accreditation Process (DITSCAP). United States: Department of Defense, Washington, DC: 1997. 
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6. Office of Management and Budget (OMB) Circular A-130 & 
Appendix III 

OMB Circular A-130, Management of Federal Information Resources, is one of 
many circulars produced by the United States Federal Government to establish policy for 
executive branch departments and agencies .26 OMB Circular A-130 makes it mandatory 
for agencies and departments to implement the requirements of the Computer Security 
Act of 1987 and the Federal Information Security Management Act of 2002.22 To date, 
FISMA has since superseded the requirements of the Computer Security Act of 1987. 

Specific guidelines for OMB Circular A-130 require: 

• All federal information systems to have security plans. 

• Systems to have formal emergency response capabilities. 

• A single individual to have responsibility for operational security. 

• Security awareness training made available to all government users, 
administrators of the system. 

• Regular review/improvement upon contingency plans to be done. 

OMB Circular A-130 Appendix III establishes a minimum set of controls to be 
included in Federal automated information security programs, assigns Federal agency 
responsibilities for the security of automated information, and links agency automated 
information security programs and agency management control systems established in 
accordance with OMB Circular A- 130.28 


26 OMB Circular A-130, Management of Federal Information Resources, United States: Office of 
Management and Budget, Washington D.C. 2000. 

http://www.whitehouse.gov/omb/circulars/al30/al30trans4.html (Last accessed 09 August 2008). 

27 The Computer Security Act of 1987 was passed by Congress to improve the security and privacy of 
sensitive information in Federal computer systems and to establish a minimum acceptable security practices 
for such systems. http://en.wikipedia.org/wiki/Computer Security Act of 1987 (Last accessed 15 August 
2008). 

28 OMB Circular A-130 Appendix III, Security of Federal Automated Information Resources, United 
States: Office of Management and Budget, Washington, D.C. 2000. 
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E. CYBER-PLAYERS INVOLVED 


1. Federal Bureau of Investigation (FBI) 

The Department of Justice and the FBI lead the national effort to investigate and 
prosecute cybercrime.29 The FBI has established a Cyber Operations workforce 
including Cyber Action Teams, Computer Crimes Task Forces, and Internet Crime 
Complaint Centers. Additionally, the FBI/CSI Computer Crime and Security Surveys 
were derived from this agency providing information and valuable statistics toward cyber 
crime.20 Below is a set of results from the 2007 survey, illustrating the type of attacks an 
installation may most likely face. 



TYPE OF AHACK 

2007 

■ 

Insider abuse of Net access 

59% 

© 

Virus 

52% 

o 

Laptop / mobile device theft 

50% 

★ 

Phishing where your organization was 
fraudulently represented as sender** 

26% 

☆ 

Instant messaging misuse** 

25% 

■ 

Denial of service 

25% 

A 

Unauthorized access to information 

25% 

• 

Dots within the organization** 

21% 

A 

Theft of customer / employee data** 

17% 

♦ 

Abuse of wireless network* 

17% 

O 

System penetration 

13% 


CSI 2007 Computer Crime and Security Survey 
Source: Computer Security Institute 


Figure 1. 2007 CSI Survey Statistics 2i 


29 Role of FBI is defined via the FBI website, http://www.fbi.gov/cvberinvest/cvberhome.htm (Last 
accessed 15 August 2008). 

20 CSI is defined as the Computer Security Institute. 

21 From: Computer Security Institute (CSI) and the Federal Bureau of Investigation, CSI/FBI 
Computer Crime and Security Survey, United States: Department of Justice, Washington D.C. 2005. 
http://www.fbi.gOv/page2/july05/cyber072505.htm (Last accessed 15 August 2008). 
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2. 


Department of Homeland Security (DHS) 


The Department of Homeland Security National Cyber Security Division (NCSD) 
works collaboratively with public, private and international entities to secure cyberspace 
and America’s cyber assets. The division is home to US-CERT (US Computer 
Emergency Readiness Team) operations and the National Cyber Alert System. 32 The 
DHS Science and Technology Directorate also help government and private end-users 
transition to new cyber-security capabilities. To protect the cyber infrastructure, NCSD 
has identified two main objectives. Eirst they are to build and maintain an effective 
national cyber response system. Secondly, NCSD is to implement a cyber-risk 
Management program for protection of critical infrastructures. 33 

Erom the National Strategy to Secure Cyberspace, the DHS is responsible for 
developing the national cyberspace security response system, which includes providing 
crisis management support in response to threats to, or attacks on critical information 
systems. Additionally, DHS coordinates with other agencies of the federal government to 
provide specific warning information, and advice about appropriate protective measures 
and countermeasures, to state and local government agencies and authorities, the private 
sector, other entities, and the public. 34 

3. Department of Defense (DoD) 

The Department of Defense Cyber Crime Center (DCS) sets standards for digital 
evidence processing, analysis, and diagnostics for any DoD investigation that requires 
computer forensic support to detect, enhance, or recover digital media, including audio 
and video. DCS remains on the leading edge of computer technologies and techniques 


32 Role of Department of Homeland Security (DHS) National Cyber Security DivisionDHS as defined 
from DHS website, http://www.dhs.gov/xabout/structure/editorial_0839.shtm (Last accessed 22 August 
2008). 

33 Role of Department of Homeland Security (DHS) National Cyber Security DivisionDHS as defined 
from DHS website, http://www.dhs.gov/xabout/structure/editorial_0839.shtm (Last accessed 22 August 
2008). 

34 President of the United States, The National Strategy to Secure Cyberspace, 20. 
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through research, development, testing, and evaluation applied to digital evidence 
processing and computer forensic analysis; and by partnering with governmental, 
academic, and private industry computer security officials.35 

The Defense Cyber Crime Institute (DCCI) provides legally & scientifically 
accepted standards, techniques, methodologies, research, tools, and technologies on 
computer forensics and related technologies to meet the current and future needs of the 
DoD counterintelligence, intelligence, information assurance, information operations, and 
law enforcement communities.36 

The DoD military services also play a pivotal role in the cyberspace domain. The 
U.S. Air Force may soon stand up a new Air Force Cyber Command (starting on 1 
October 2008) with the mission to secure the nation by employing world-class 
cyberspace capabilities to control cyberspace, create integrated global effects and deliver 
sovereign option.37 The U.S. Army provides high quality virtual Information Assurance 
and Computer Network Defense training and certification for DoD personnel at Fort 
Gordon, Georgia.3^ Like the Army, the United States Marine Corps established an lA 
Division (based in Quantico, VA) to oversee and perform continuous assessment of 
USMC lA operations and resource expenditures to evaluate the extent to which policy 
objectives are being achieved.39 Finally, the U.S. Navy developed an Information 
Assurance manual to analyze lA principles and controls that apply to the people, 
processes, and technology. The U.S. Navy lA program is set out to: 


^^The Mission of the Department of Defense Cyber Crime Center (DCS) http://www.dc3.mil (Last 
accessed 22 August 2008). 

36lbid. 

37 Air Force Cyberspace Command, http://www.afcvber.af.mil (Last accessed 05 September 2008) 

3^ US Army Information Assurance Training Center, https://ia.gordon.armv.mil (Last accessed 02 
September 2008). 

39 USMC lA Headquarters. http://www.quantico.usmc.mil/activities/?Section=IA (Last accessed 02 
September 2008). 
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Deliver seeure, interoperable, and integrated information management and 
information technology to the Marine and Sailor to support the full 
spectrum of war-fighting and war-fighting support missions 


Secretary of the Navy, SECNAVM-5239.1: Information Assurance Manual, Department of the 
Navy, United States, November 2005, 3. www.fas.org/irp/doddir/navv/secnavinst/m5239 l.pdf (Last 
accessed 02 September 2008). 
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F. LITERATURE REVIEW ANALYSIS 

The literature review of this thesis included approximately 30 documents and 
publications relating to information security, both from the governmental and civilian 
sectors. In general, the vast majority of the documents clearly depicted a ‘top-down” 
approach, while very nominal amounts represented any “bottom-up” perspectives and 
viewpoints towards information security. Most take the stance from a strategic point of 
view, when operational and tactical documents get pushed to the side. Redundancy was 
evident throughout the review, but the topic of day-to-day operations, is not addressed. 
In essence, the bulk of documents and publications are intended for the 
information/knowledge managers and the hierarchical information leadership, while 
minimal guidance is directed towards the user and his/her roles and responsibilities to 
maintain information stability. Virtually no guidance or framework is given to the 
countless operators/users, and that which is provided is often duplicated. 

By evaluating all these works, even those not stated in Chapter II, there is an 
immense need for a “people-oriented users” policy for managers to maintain when 
dealing with people influence and the organization procedural downfalls. Bottom level 
installations deal with occurrences of insider and outsider attacks daily. No standard is 
readily available for reference and neither is a standard metric system for measuring 
compliance. The shortcomings of this described environment, appears to provide fertile 
ground for “problems waiting to happen”. 

Of the many documents reviewed, two documents stand out as “must reads” for 
information and knowledge managers: 0MB Circular A-130 and DoD 8500.1/2 (two 
documents working in unison). Both of these documents discuss the behaviors and 
responsibilities of the user, but users are not enforced to read such documents and no 
tracking and feedback method with respect to those that have completed the reading is 
currently in effect. Chapter III investigates the growth of the internet and the topic of 
internet dependency as a critical means of communication. Additionally, Chapter III 
focuses on the insider threat as the specific area of concern and analyzes the annual 
Federal Information Security Management Act (FISMA) reports. 
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The concluding chapters of this thesis will argue the case that a policy needs to be 
integrated with the existing network standards, focusing on the people influence by 
revitalizing the current Information Assurance training and implementing an lA best 
practice rule set. Additionally, metrics for validation will be introduced to evaluate the 
training and best practice methods with hopes to enhance user behaviors, awareness and 
responsibilities. Again, the people are the basic units of information, the people are the 
operators and the people control all the key mechanisms of a network, either directly or 
indirectly. Because of that heavy influence, the actions of the people need to be 
addressed and acted upon to improve lA awareness throughout the DoD. 
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III. THE INNER PROBLEM OE INEORMATION MANAGEMENT 


A. THE WORLD WIDE WEB (INTERNET) 

1. Introduction 

As the need for information continues to rise, so does the need for speed, 
accuracy, and content with respect to any information contained. With the World Wide 
Web connectivity growing by the second, nodes of strengths & weaknesses related to the 
information demand open at the same rate. The number of internet users has grown 
quickly over the years, allowing for more possibilities of cyber crimes/attacks. Although 
most users might not ever consider intentionally compromising a network’s information 
or infrastructure (through hacking), some do, and therefore the potential is real. 

2. Internet Users by the Numbers 



With the growth of the internet, mass numbers of online users are created 
everyday. Figure 2 depicts the number of internet users by country, illustrating the high 
volume and the specific concentrations of internet users throughout the world for 2007. 


100 , 000 , 00(K 
50 . 000 . 000 - 100 , 000,000 
20 , 000 . 000 - 50 . 000,000 
10 , 000 , 000 - 20 , 000,000 
5 , 000 , 000 - 10 , 000,000 
2 . 000 , 000 - 6 , 000.000 
1 , 000 , 000 - 2 , 000,000 
500 , 000 - 1 , 000,000 
100 , 000 - 600,000 
10 , 000 - 100,000 
• 10,000 


Figure 2. Internet Users by Country (Volume) 


41 From: Internet Growth graphic found on Wikipedia search on Internet Growth by Country. 
http://en.wikipedia.org/wiki/List of countries by number of Internet users (Last accessed 09 August 
2008). 
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Additionally, some countries have shown a resounding dependency on internet 
use as the primary means of communication, both domestically and internationally. Of 
note (see Figure 2, 3), the United States, Canada, Australia, Japan and Europe 
(particularly the north Scandinavian Nations) validate this high concentration of users as 
a whole. The number of potential users also correlates to the number of potential 
attackers a nation may possess and/or encounter. This data does not conclude that 
hackers from one nation do not infiltrate infrastructures outside country lines; the user 
numbers simply illustrate the origin of potential damage. In fact, although the origin 
countries are noted, global connectivity is involved. 

Figure 3 illustrates the number of internet users by country (via percentage of 
population) for the year 2007. These markets of heavy internet dependence reveal the 
strong relationships of the potential for internet user harm. 





> 


Figure 3. Internet Users by Country (Percentage) 


42 From: Internet Growth graphic found on Wikipedia search on Internet Growth by Country. 
http://en.wikipedia.org/wiki/List_of_countries_by_number_of_Internet_users (Last accessed 09 August 
2008). 
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Table 4 below lists the top ten countries for internet users ranked by the total 
number of internet users. The figure also complements Figure 3 and provides the 
respective country’s percentage of the population depending on the internet as a line of 
communication. 


Rank 

0 

Country 0 

Internet usersttit^l 
13] 0 

% of pop. 
[4] 0 

Date 

0 

— 

I World 

1,173.109.925 

17.8% 

2007 

— 

European Union 

273.234.619 

55.7% 

2007 

1 

China 

227.000.000 

16.7% 

2008 

2 

United States 

217,575,287 

71.7% 

2007 

3 

• Japan 

86,300.000 

67.1% 

2007 

4 

India 

60.000.000 

6.0% 

2005 

5 

Germany 

52.533.914 

63-8% 

2008 

6 

Brazil 

50.000.000 

26.1% 

2008 

7 

S® United Kingdom 

37.600.000 

62.3% 

2007 

8 

South Korea 

34.910.000 

71.2% 

2007 

9 

1 1 France 

32.925.953 

53.7% 

2007 

10 

1 1 Italy 

31.481,928 

52.9% 

2007 


Table 4. Internet Users Rankings by Number ^3 


From this data set, the nations with the highest numbers and percentage of users 
come as no surprise. These nations are typically found leading the charge towards 
innovative and cutting edge technologies and pioneering industrial trends for the future. 


43 From: Internet Growth graphic found on Wikipedia search on Internet Growth by Country. 
http://en.wikipedia.org/wiki/List of countries by number of Internet users (Last accessed 09 Aug 2008). 
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3. 


The Growth of the Internet 


The growth of the Internet has drastically increased over the past 13 years. This 
was hard to imagine in 1995 when only 0.4% of the world’s population had the capability 
to get globally connected. Figure 4 below illustrates the rapid growth of the internet, 
providing graphical and statistical data dating back to 1995 and projecting forward to 
2010 : 
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Source: vvww.internetworldstats.com - January. 2008 
Copyright© 2008, Miniwatts Marketing Group 

Figure 4. Internet Users in the World Growth 1995-2010 ^4 
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44 From: Internet Users in the World Growth 1995-2010 figure found on 
http://www.allaboutmarketresearch.com/internet.htm (Last accessed 29 August 2008). 
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In conjunction with Figure 4 from above, Table 5 provides the approximate 
number of users, with the pereentage of the world population from Deeember 1995 to 
May 2008 and the pereent growth sinee Deeember 1995: 


Growth of Internet Users (1995-2008) 

Date 

Number of 
Users 

% World 
Population 

% of Growth 
Since 1995 

December, 1995 

16 million 

0.40% 

- 

Deeember, 1996 

36 million 

0.90% 

225.00% 

Deeember, 1997 

70 million 

1.70% 

437.50% 

Deeember, 1998 

147 million 

3.60% 

918.70% 

December, 1999 

248 million 

4.10% 

1550.00% 

December, 2000 

361 million 

5.80% 

2256.20% 

Deeember, 2001 

513 million 

8.60% 

3206.20% 

Deeember, 2002 

587 million 

9.40% 

3668.70% 

Deeember, 2003 

719 million 

11.10% 

4493.70% 

Deeember, 2004 

817 million 

12.70% 

5106.20% 

Deeember, 2005 

1,018 million 

15.70% 

6362.50% 

Deeember, 2006 

1,093 million 

16.70% 

6831.20% 

December, 2007 

1,319 million 

20.00% 

8243.70% 

May, 2008 

1,412 million 

21.20% 

8825.00% 


Table 5. Growth of Internet Users (1995-2008) ^5 


The data above visibly illustrates an exponential-like growth of the internet over a 
rather short period in time. From 1995 to 1996, the number of internet users more than 
doubled from 16 million to 36 million with less than 1% of the world globally eonnected. 
From 1995 to 2000, the five year period indieated a growth of 2256.2% with 5.8% of the 
world’s population having global eonnectivity. Finally, from 1995 to May 2008, the 
growth swelled 8825% with 21.2% of the world’s population having global eonnectivity. 

From this data, it’s pretty easy to see that people have adopted the internet as a 
primary means of eommunieation. Like the people, information infrastruetures utilize the 
internet as a primary means of eommunieation to collect, distribute and disseminate 
eritical information to other host installations. As examples, people commonly pay their 

After: Internet Users in the World Growth 1995-2008 data found on 
http://www.allaboutmarketresearch.com/internet.htm (Last accessed 29 August 2008). 
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monthly bills via the internet, purchase items, do business with financial institutions and 
manage their retirement portfolios via the internet as well. From the perspective of the 
Department of Defense, critical mission related information is passed via the internet to 
coordinate among the many moving parts of most military operations. Protecting 
information is paramount for information security success. 

B. THE INSIDER ATTACK 

In a recent study by the Secret Service, insider attacks on computers and networks 
are not rare occurrences. Most attacks are planned in advance. Insider attacks are the 
most detrimental within an information infrastructure. The statistics provided depict the 
scope of insider attacks from the commercial (non-DoD) sphere of influence. 

Below are the statistics from the Secret Service study:^^ 

• 80% of insiders who launched attacks on their companies had exhibited 
negative behaviors before the incident. 

• 92% had experienced a negative work-related event, such as a demotion, 
transfer, warning or termination. 

• At the time of the incident, 59% were former employees or contractors, while 
41% were still on the company clock. 

• Of the former employees, 48% had been fired, 38% had resigned and 7% had 
been laid off. 

• 86% were employed in a technical position. Of them, 38% were system 
administrators. 

• 21% were programmers, 14% were engineers and 14% were IT specialists 

• 57% of insiders were perceived by others to be disgruntled. 

• The majority of insiders compromised computer accounts, created 
unauthorized, backdoor accounts or used shared accounts in their attacks. 


Sharon Gaudin, “Study Highlights Insider Threats,” Information Week, 25 August 2006. 
http://www.informationweek.com/news/securitv/cvbercrime/showArticle.ihtml?articleID=192300421 (Last 

accessed 05 September 2008). 
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The Insider threat can be the most detrimental to a company or governmental 
agency. The 2007 Computer Crime Survey indicated that 59% of the attacks on a 
network were classified as insider abuse.Insiders do not need a great deal of knowledge 
about computer intrusion because their knowledge of the system often allows then to gain 
unrestricted access to cause damage to the system or steal system data.^s Understanding 
that insiders and social engineering do exist is more than enough to label them a major 

concern.49 

C. OFFICE OF MANAGEMENT AND BUDGET: FISMA REPORTS 

(FEDERAL INFORMATION SECURITY MANAGEMENT ACT) 

Each fiscal year, the Office of Management of Budget (0MB) conducts a yearly 
report evaluating the various departments of the US government on matters of computer 
security. The goals of the yearly FISMA reports are to evaluate the development of 
network security frameworks in order to protect the government’s information, 
operations, and assets. The results of the annual FISMA report inform Congress (and the 
public) of the Federal government’s security performance for a given fiscal year, while 
fulfilling the yearly 0MB requirement.^^ Included in the reports are the strengths and 
weakness and plan of actions to improve performance. 


47 Internet Crime Complaint Center (IC^), 2007 Internet Crime Report, 13. 

48 Gregory Wilshusen, GAO-08-496T: Information Security Issues (FISMA Analysis), United States; 
US Government Accountability Office, Washington D.C. February 2008, 6. 

http://www.gao.gov/new.items/d08496t.pdf (Last accessed 31 August 2008). 

49 Social engineering is the act of tricking another person into providing confidential information by 
posing as an individual who is authorized to receive that information. 

Office of Management and Budget (OMB); Fiscal Year 2007 Report to Congress on 
Implementation of The Federal Information Security Management Act of2002, United States: OMB, 
Washington D.C. 2007. http://www.whitehouse.gov/omb/ (Last accessed 25 August 2008). 
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The six categories FISMA grades are as follows: 


FISMA Scoring Categories 

Point Value 

Annual Testing 

20 

Plan of Action and Milestones (POA & M) 

15 

Certification and Accreditation 

20 

Configuration Management 

20 

Incident Detection and Response 

15 

Training 

10 

Total 

100 


Table 6. FISMA Scoring Categories 


The FISMA letter grade distribution uses the following scale: 


90 to 93 = A- 94 to 96 

80 to 83 = B- 84 to 86 

70 to 73 = C- 74 to 76 

60 to 63 = D- 64 to 66 

59 and lower = F 


= A 

97 to 100 = A-i- 

= B 

87 to 89 = B-i- 

= C 

77 to 79 = C+ 

= D 

67 to 69 = D-i- 


Additionally, FISMA requires that agencies implement information security 
programs that, among other things, include:^! 

• Periodic assessments of the risk. 

• Risk-based policies and procedures. 

• Subordinate plans for providing adequate information security for networks, 
facilities, and systems or groups of information systems, as appropriate. 

• Security awareness training for agency personnel, including contractors and 
other users of information systems that support the operations and assets of 
the agency. 

• Periodic testing and evaluation of the effectiveness of information security 
policies, procedures, and practices, performed with a frequency depending on 
risk, but no less than annually. 

• A process for planning, implementing, evaluating, and documenting remedial 
action to address any deficiencies. 


Gregory Wilshusen, 8. 
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• Procedures for deteeting, reporting, and responding to seeurity ineidents. 

• Plans and procedures to ensure continuity of operations. 

Since the conception of the FISMA reporting standard, the Department of 
Defense has not shown any positive signs of improvement towards network seeurity in 
any reeent reports. The next seetion analyzes the FISMA reports. 


1. Fiscal Year 2005 FISMA Results 

The FY2005 FISMA eomputer seeurity results were used as a referenee point in 
this analysis to establish a baseline for network seeurity eomplianee. The results from 
FY2005 and FY2007 were eompared to analyze any positive or negative trends in the 
various departments in the FISMA report. DoD results were explicitly examined. 

The FISMA report eard for FY2005 to FY200I (Table 7) presents the grades from 
the various governmental departments illustrating any positive or negative trends. Some 
departments displayed increases in computer seeurity, instilling positive procedures and 
teehniques, while others deelined in the negative direetion. 52 



52 Office of Management and Budget (OMB); Fiscal Year 2005 Report to Congress on 
Implementation of The Federal Information Security Management Act of2002, United States; OMB, 
Washington D.C. 2005. http://www.whitehouse.gov/omb/ (Last accessed 25 August 2008). 

53 After: Fiscal Year 2005 FISMA Results. 
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The FY2005 FISMA results indicated a negative tendency towards network 
security compliance particularly from the DoD. The DoD grades from FY2001 to 
FY2005 indicated no improvement while other departments did improve (the largest 
improvement was 78%). DoD grades ranged from a minimum of 38% in FY2002 to a 
maximum of 65.5% in FY2003. The overall government-wide average increased from 
53% in FY2001 to 67.4% by FY2005, a change of 14.4%. However, five years after 
FISMA was enacted, poor information security was still a widespread dilemma. 

2. Fiscal Year 2007 FISMA Results 


The FY2007 FISMA results did not indicate any significant difference in the DoD 
attitude on network security compliance from the FY2005 baseline.Only letter grades 
(no numerical score) were provided in the FY2007 report. Table 8 confirms that DoD 
network security grades (D- for FY2007 and F for FY2006) were clearly below the 
government-wide average of a C. 


FEDERAL COMPUTER SECURITY REPORT CARD 


May 2008 


GOVERNMENTWIDE GRADE 2007: C (2006: C-) 



2007 

2006 


2007 

2006 

DEPARTMENT OF JUSTICE 

A+ 

A- 

NATIONAL AERONAUTICS AND 
SPACE ADMINISTRATION 

c 

D- 

AGENCY FOR INTERNATIONAL 
DEVELOPMENT 

A+* 

A+ 

DEPARTMENT OF STATE 

c* 

F 

ENVIRONMENTAL PROTECTION 
AGENCY 

A+ 

A- 

DEPARTMENT OF EDUCATION 

c- 

F 

NATIONAL SCIENCE FOUNDATION 

A+* 

A+ 

DEPARTMENT OF COMMERCE 

D+ 

F 

SOCIAL SECURITY 

ADMINISTRATION 

A+* 

A 

DEPARTMENT OF 
TRANSPORTATION 

D 

B 

HOUSING AND URBAN 
DEVELOPMENT 

A 

A+ 

DEPARTMENT OF LABOR 

D 

B- 

OFFICE OF PERSONNEL 
MANAGEMENT 

A- 

A^ 




MENT OF DEFENSE 



GENERAL SERVICES 
ADMINISTRATION 

B+( 

A 

DEPARTMENT OF THE INTERIOR 

F 

F 

DEPARTMENT OF ENERGY 

B+ 


■eSEARTMENT OF TREASURY 



DEPARTMENT OF HOMELAND 
SECURITY 

B+ 

D 

NUCLEARTILGULAIOK'i' 

COMMISSION 

F 

F 

DEPARTMENT OF HEALTH AND 
HUMAN SERVICES 

B 

B 

DEPARTMENT OF VETERANS 
AFFAIRS 

F 

N/A 

SMALL BUSINESS 

ADMINISTRATION 

B 

B+ 

DEPARTMENT OF AGRICULTURE 

F 

F 


Table 8. FY2007 Federal Computer Security Grades (FISMA) 56 


54 Gregory Wilshusen, 3. 

55 Fiscal Year 2007 FISMA Results, www.whitehouse. gov/omb (Last accessed 25 August 2008) 

56 After: Fiscal Year 2007 FISMA Results. 
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Other departments, like the Department of Justice, the Environmental Protection 
Agency, and Social Security Administration all showed continual improvement since 
FY2001. Even though the DoD incorporates and originates countless documents, 
doctrines, and standards to enhance network security policies and procedures for the 
information & knowledge managers, scores reflect a failing trend. 

EISMA identifies specific government-wide weaknesses, but no specific 
departmental weak spots were disclosed. These persistent weaknesses are identified 
below:^^ 

• Access controls, which ensure that only authorized individuals can read, alter, 
or delete data. 

• Configuration management controls, which provide assurance that only 
authorized software programs, are implemented. 

• Segregation of duties, which reduces the risk that one individual, can 
independently perform inappropriate actions without detection. 

• Continuity of operations planning, which provides for the prevention of 
significant disruptions of computer-dependent operations. 

• An agency-wide information security program, which provides the framework 
for ensuring that risks are understood and that effective controls are selected 
and properly implemented 


Gregory Wilshusen, 12-20. 
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Number of agencies 
24 


18 


12 


6 


0 

Access Configuralion Segregation Service Entitywide 

control management of duties continuity security program 

Categories 

Source: GAO analysis of agency performance and accountability reports for FY2007 


Figure 5. Number of Major Agencies Reporting Weaknesses in Control Categories^* 


Continuing with the weaknesses found by the FISMA reports :59 

• 19 of 24 agencies did not implement controls to sufficiently prevent, limit, or 

detect access to computer networks, systems, or information. Control sub¬ 
categories are listed below: 

■ Identify & authenticate users to prevent unauthorized access. 

■ Enforce the principle of least privilege to ensure that authorized access 
was necessary and appropriate. 

■ Establish sufficient boundary protection mechanisms, 

■ Apply encryption to protect sensitive data on networks and portable 
devices. 

■ Eog, audit, and monitor security-relevant events. 

■ Agencies also lacked effective controls to restrict physical access to 
information assets. 


5* After: Gregory Wilshusen, 12-20. 
^9 Ibid. 
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• Agencies had developed and documented information security policies, 
standards, and guidelines for information security, but did not always provide 
specific guidance for securing critical systems. 

• Security plans were not always up-to-date or complete. 

• Five major agencies reported challenges in ensuring that members had 
received security awareness training. 

• Agencies did not ensure all information security employees and contractors, 
including those who have significant information security responsibilities, 
received sufficient training. 

• Agencies have experienced a wide range of incidents involving data loss or 
theft, computer intrusions, and privacy breaches, underscoring the need for 
improved security practices. 


Left on its own, only marginal improvements to any of the previously discussed 
weaknesses can be expected (especially true in the DoD). To improve FISMA scores, the 
DoD needs to begin implementing changes to the standards and policies enforced on 
basic users. As previously described, users (the people) are the elementary component in 
the grand scheme towards information infrastructure security. Revitalizing security 
awareness training and ensuring compliance (through a set of rigorous metrics) is one 
avenue of approach to enhancing network security and instilling the elements of 
Information Assurance throughout the DoD information infrastructure. In addition, a 
best lA practices framework needs to initiated and implemented throughout DoD 
infrastructures/installations. The lA best practice rule set should be managed by the 
network managers, but carried out daily by the individual users. Non-compliance to any 
procedural requirement should be handled appropriately. The people need to be held 
accountable for there actions. 


39 



D. RECAP 


Whether in the civilian market or in the federal government, defending 
information and networks against network attacks (inside and outside) must be a cause 
that is readily realized by all unit members. Refinement of current security mechanisms 
and Information Assurance standards and procedures are the bare minimum courses of 
action. Actions need to be an “all-hands” effort. Chapters IV and V will analyze the 
existing DoD Information Assurance training standard and propose meaningful changes 
and recommendations that will ensure better FISMA report cards (even though the report 
cards are only an indicator of improved information security and dominance). 
Additionally, a safe-user, best practice model for user behaviors, roles and 
responsibilities will be presented to tackle segments of the third priority of The National 
Strategy to Secure Cyberspace (A National Cyberspace Security Awareness and Training 
Program) and develop a useful set of metrics that can be employed to evaluate the 
performance of the safe user model. 
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IV. REVITALIZED INFORMATION ASSURANCE APPROACH 


A. INTRODUCTION 

Many potential cyber (relating to, or involvement of, computers and networks) 
vulnerabilities exist because of a lack of cybersecurity awareness on the part of the 
computer users, system administrators, technology developers, and the chief information 
officers, just to name a few. Such awareness-based vulnerabilities present serious risks to 
critical information network infrastructures regardless of whether they currently exist, or 
potentially exist, within the infrastructure itself. A lack of trained personnel and the 
absence of widely accepted Information Assurance (lA) programs complicate any hope 
of reducing cyber vulnerabilities.This chapter describes how knowledge and 
information managers need to enforce training standards and implement lA “best 
practice” rules of behavior to defeat such risks and vulnerabilities and to ensure that 
required infrastructures are secure. 

The National Strategy to Secure Cyberspace defined several meaningful tasks 
toward cyberspace awareness. One cited awareness element. Priority Ill: A National 
Cyberspace Security Awareness and Training Program emphasized the need to increase 
the efficiency and compliance of cybersecurity training in Government, companies, 
universities, and the Nation’s computer users.Furthermore, explicit actions of Priority 
TIT were offered to enhance the awareness, education and training of Information 
Assurance for all users. These explicit actions are listed below: 

• Promote a comprehensive national awareness program to empower all DoD 
service members to secure their own parts of cyberspace. 

• Foster adequate training and education programs to support the Nation’s 
cybersecurity needs. 

• Increase the efficiency (i.e. reducing the amount of cybercrime) of existing 
federal cybersecurity training programs. 


President of the United States, The National Strategy to Secure Cyberspace, 4. 
61 Ibid, 37-38. 
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B. lA AWARENESS TRAINING 


1. The Current Method 


The current DoD lA awareness training is conducted on a yearly basis. lA 
training is web-based and the overall content is sufficient, but to a certain extent 
elementary. The user launches the web based trainer (via NKO, AKO, or NFS for 
example)62 and basically executes an interactive session. The course is divided among 
six sections (refer to Figure 6). Below are a few screenshots of the current DoD lA 
Training: 



Course Introduction 

*^mportanceTnnformatio^Asst^^^^^^??l 
k Threats to Information Assurance 
^ Malicious Code : ] 

^ User Roles and Responsibilities 
^ Personal and Home Computer Security 


Figure 6. DoD lA Training Start-Up Page 63 


62 NKO: Navy Knowledge Online. AKO: Army Knowledge Online. NFS: Naval Postgraduate 
School. 

63 DoD lA Training Course. DoD Information Assurance, Training Notes, Annual lA Trainer via NFS 
Training Site: Pappas Notes, 2008. 
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A sample page of the web-based trainer is illustrated in Figure 7. This partieular page 
deseribes the lA Legal Requirements, Policy and Law, under the Importance of 
Information Assurance segment of the lA training. 



oD Information Assurance Awareness 

Importance of Information Assurance 


lA Legal Requirements 


Policy and Law 



Federal 

Information 

Security 

Management 

Act 

(FISMA) 


0MB Circular 
A.130 



Figure 7. Sample lA Training Page 


In essence, the construct of the current lA security awareness training is only 
adequate towards an objective of “putting a check in the box” as users are not required to 
validate any level of proficiency. Upon completion of the required lA training, each user 
prints a certificate and lA training is then considered as sufficient and complete for the 
entire year. In completing training, no feedback or question & answer metrics are 
utilized to account if the user grasped and/or understood even minimal understanding of 
the content of the lA training. Other than a check on completion of the requirement, no 
training direct supervision is involved either. Without some form of training monitoring, 
the user can simply click the “next” button to advance to the next lesson and finish the 
training module in far less time than is allotted. By advancing as described, the user is 


DoD Information Assurance, Training Notes. 
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ignoring the significance of lA and displaying the exact behavior the training is trying to 
reduce. Finally, the time to complete the annual requirement (not to be confused with the 
actual time needed to complete the web-based training itself) is not a standard that is 
monitored or enforced by network mangers. The next section proposes the changes 
needed to revitalize the DoD Information Assurance training program. 

2. A New Hope 

“A New Hope,” fits well as the title to describe the necessary actions needed to 
incorporate a more efficient cybersecurity training mechanism. With the goal of 
improving existing lA policy, training and infrastructure, most of the key elements that 
work today will be retained and revitalized. The lA “training wheel” does not need to be 
reinvented if positive merits can be continued. It is recommended that the web based- 
trainer should remain the same in general appearance and content, but feedback, 
measures, and compliance need revitalization (or added in if absent in the current 
training). Furthermore, knowledge and information managers must, if not already 
procedurally in place, take charge (in a more effective manner) in the enforcement of lA 
training and as a result institute a standard set of lA best practices within their respective 
information environments. By adopting a revitalized lA proposal, the people and 
organization can gain a more watchful eye towards cybersecurity awareness, better 
understand the basic lA practices needed, and as a result assure that the value of 
information on their critical networks will not be compromised. A set of procedural steps 
describing the proposed revitalization enhancement process is as follows: 

a. Step 1: Incorporate Feedback and Question & Answer Criteria 

The first step towards the proposed revitalization is to expand the lA 
training course by integrating feedback to the current structure. The presentation and 
content of the existing lA training model is generally acceptable; however user feedback 
needs to be incorporated throughout every section to ensure that objectives and goals of 
the program are attained. Additionally, at the completion of the lA Training, a question 
and answer evaluation must be instituted before an annual lA certificate is granted. It is 
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recommended that individuals should pass a 10-Question proficiency examination with a 
minimum score of 80%, and if unsuccessful, users must retake the test until a passing 
score is achieved. Questions should be randomized to ensure users are not simply 
caching (copying) questions and answers. It is also recommended that questions be 
formatted as either multiple choice or True/False format; a format very recognizable with 
the DoD structure. Appendix A includes 25 sample questions (and associated answers) 
derived from the annual DoD lA training course that could effectively be used to evaluate 
user comprehension and knowledge gained from the revitalized Information Assurance 
Awareness Training. Listed below are three specific examples of sample questions from 
Appendix A to be used for the 10-Question proficiency examination:65 

• Multiple Choice: What is the definition of Information Assurance? Measures 
that protect and defend information systems by ensuring their availability, 
integrity, confidentiality, authentication, and non-repudiation. These 
measures include providing for restoration of information systems by 
incorporating protection, detection, and reaction capabilities. 

• True or False: Information Risk Management is a statement by management 
dictating the role security plays on the organization? False, a security policy 
dictates this role. 

• Multiple Choice: What is a social engineering element of information 
assurance? The act of tricking another person into providing confidential 
information by posing as an individual who is authorized to receive that 
information. 

b. Step 2: Increase lA Currency Requirements 

The second step towards training revitalization is to increase the currency 
requirement for training. Presently, lA training is conducted annually and most often the 
timing is based on a training requirement established for the entire organization, not by 
when a user first logs onto a network. The author of this investigation believes that this 

65 Questions are derived from the DoD lA Training Course. DoD Information Assurance, Training 
Notes. 
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standard is not adequate to assure the confidentially, integrity and availability of the 
information within an infrastructure. New requirements are required that maintain the 
annual training requirement with additional refresher training tests required every 90 
days. At a minimum, refresher tests are recommended in concert with the DoD quarterly 
“password change” requirement. If a user forgets or losses his/her password and a 
password change is initiated, a new “90-Day” lA refresher will be required as well. This 
will not reset a user’s “90-Day” baseline date; rather it should be viewed as an extra 
training session. The “90-Day” refresher requirement is based from the annual lA 
training date. The date of the annual lA training establishes a user’s baseline date and the 
“90-Day” test will progress from that established baseline date. For new personnel, the 
annual lA training is first established on the date the user processes into a new 
organization. 


c. Step 3: Time Minimum 

Step three is to put minimum time restrictions on each training slide. The 
user’s ability to advance to the next slide before the minimum allotted time shall be 
restricted to deny those that would simply game the training program. Each slide will 
display a time counter, indicating the time remaining until the next segment can be 
initiated. Additionally, feedback questions, as described in step one, shall be randomly 
placed throughout the lecture to ensure users are actively involved with the training 
instead of leisurely scrolling through the material. As observed in past lA training 
sessions, individuals often involve themselves with other tasks while the training is in 
session. By incorporating feedback and questions throughout the trainer, the user will be 
forced to provide feedback and answers to proceed with the trainer, and therefore pay 
exclusive attention to the lA training module. 

d. Step 4: “90-Day” Specifics 

Step four specially addresses the “90-Day” refresher trainer. Questions for 
the “90-Day” test will be just as detailed as the annual trainer, however only five 
questions will be utilized. Users must answer 4 of the 5 questions correctly to fulfill the 
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90 day requirement. If a user fails the 80% criteria, another set of five random questions 
will be required. Upon completion of the lA “90-Day” standard, in unison with the 
quarterly password change, users will be able to access the information network knowing 
that they have a role in safeguarding the information they use day in and day out. If, 
however, they repeatedly fail the “90-Day” test requirements, they are unprepared for 
network operations and should be denied access. The maximum number of failures for 
the “90-Day” refresher should be limited to five and consequently the annual requirement 
is therefore required. 


e. Step 5: The Consequences for Non-Compliance 

The final step is focused more for the information and knowledge 
managers. Information and Knowledge managers need to stress the importance of lA in 
the workspace and address the ramifications of poor lA procedures and how they may 
inflict harm within networks. Furthermore, consequences need to be enforced if 
individual users abuse network security practices or are non-compliant with the current 
standards and policies. Managers need to maintain network defense and assume the 
managerial role as the “first line of defense” in the struggle with information flow. 
Network requirements should be viewed in the same way that any other organizational 
standard is viewed and enforced. For example, if a user violates any network procedural 
requirement he/she will have to re-accomplish the annual trainings at a minimum. 
Additionally, the user will lose network access for a minimum of 3 duty (working) days. 
As for repeat offenders, users will have to re-accomplish annual training in concert with a 
written/oral examination administered by the respective knowledge/information manager, 
and lose network access for a minimum of 10 duty days. Additionally, the user will be 
limited to two 30-minute network sessions daily until the next annual trainer or at the 
discretion of the knowledge/information manager. Lastly, a list of lA discrepancies 
should be shared with unit commanders for possible administrative penalties. 
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C. BEST PRACTICE lA TECHNIQUES 


The research of this investigation discovered four sources providing “best 
practice” techniques towards information security. These practices ranged from the 
government sector to the civilian sector, all instilling methodical schemes, yet diverse 
stances to achieving safe user network security environments. These four selections are 
listed below using the parent organization(s) from which they were derived: 

• Common Risks Impeding the Adequate Protection of Government Information, 
Office of Management and Budget (FISMA).66 

• Common Sense Guide to Cyber Security for Small Businesses, Internet 
Security Alliance. 

• Build Security in: Training and Awareness, Carnegie Mellon University 
(Sponsored by the DHS National Cyber Security Division).68 

• Common Sense Guide to Prevention and Detection of Insider Threats, 
Carnegie Mellon University and Internet Security Alliance.69 

1. Best Practice Source 1: Common Risks Impeding the Adequate 
Protection of Government Information (via FISMA) 

The Office of Management and Budget, via the FISMA results, investigated the 
common mistakes and risks impeding the various agencies from adequately protecting 
critical government information. Each risk or mistake FISMA identified is associated 


66 Karen Evans, Top 10 Risks Impeding the Adequate Protection of Government Information, The 
Department of Homeland Security and the Office of Management and Budget, Washington D.C. 2007. 

http://csrc.nist.gov/pcig/document/Common-Risks-Impeding-Adequate-Protection-Govt-Info.pdf 

(Last accessed 09 August 2008). 

67 Carol Woody and Larry Clinton, Common Sense Guide to Cyber Security for Small Businesses, 
Recommended Actions for Information Security.lst ed., Carnegie Mellon University and Internet Security 
Alliance, 2004, 8 Mar. 2007 http://www.us-cert.gov/reading room/CSG-small-business.pdf (Last accessed 
31 August 2008). 

68 Kenneth Van Wyk, Build Security In: Training and Awareness, Carnegie Mellon University, 
Pittsburgh, PA (Sponsored by Department of Homeland Security National Cyber Security Division), 2008. 
https://buildsecuritvin.us-cert.gov/daisv/bsi/home.html (Last accessed 30 August 2008). 

69 Dawn Capelli, Common Sense Guide to Prevention and Detection of Insider Threats, 2nd Ed, 
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with a recommended best practice technique(s) to alleviate the poor computer security 
standards. Of the 10 common risks provided in the 0MB report, six were selected for 
this analysis to further consider towards a DoD lA best practice rule set. Below are the 
six risks with their corresponding best practice techniques: 

a. Risk 1 of 10: Security and Privacy Training is Inadequate and 
Poorly Aligned with the Different Roles and Responsibilities of 
Various Personnel 

Best Practices Techniques to Mitigate Risk 1 of 10: 

• Agencies provide security and privacy training for all personnel upon 
hiring and at least annually. Both initial and refresher training explain 
acceptable rules of behavior and the consequences when rules are not 
followed. 

• Agencies assess whether training is effective, and adapt training to 
address changing requirements and emerging threats. 

• Agencies require personnel to sign documentation verifying they 
completed training, track the number of personnel trained, and 
consider whether training was completed when evaluating personnel 
performance. 

b. Risk 5 of 10: Suspicious Activities and Incidents are Not 
Identified and Reported in a Timely Manner 

Best Practices Techniques to Mitigate Risk 5 of 10: 

• Agencies develop and implement standard operating procedures 
describing how to identify and report suspicious activities and 
incidents. 

• Agencies report suspicious activities and incidents in a timely manner 
to mitigate harm and prevent similar incidents from re-occurring. 

• Agencies configure systems to log security events and monitor the logs 
to detect suspicious activity. 


Karen Evans, 1-3. 
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• Agencies document lessons learned after responding to incidents and 
incorporate them into security and privacy awareness training 
accordingly. 

• Agencies route employee web traffic through approved servers to 
simplify the monitoring of web traffic for malicious content. 

c. Risk 6 of 10: Audit Trails Documenting how Information is 
Processed are Not Appropriately Created or Reviewed 

Best Practices Technique to Mitigate Risk 6 of 10: 

• Agencies log all computer-readable data extracts from databases 
holding sensitive information and verify each extract, including 
whether sensitive data has been erased within 90 days or its use is still 
required. 

d. Risk 7 of 10: Inadequate Physical Security Controls 

Best Practices Technique to Mitigate Risk 7 of 10: 

• Agencies regularly review procedures, at least annually, for allowing 
physical access to buildings and specific areas to only those who are 
authorized. 

e. Risk 8 of 10: Information Security Controls are Not Adequate 

Best Practices Techniques to Mitigate Risk 8 of 10: 

• Security controls are tested regularly, and at least annually, to ensure 
they are effective. 

• Personnel who test controls work closely with, but remain separate 
from, the personnel administering them. 

• Agencies maintain an accurate plan of action and milestones to fix 
security controls needing improvement. 

• Agencies consider the public availability of related information as a 
factor when determining how to protect government information. 
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/. Risk 9 of 10: Inadequate Protection of Information Accessed or 
Processed Remotely 

Best Practices Techniques to Mitigate Risk 9 of 10: 

• Agencies maintain an audit log of information accessed or processed 
remotely, as appropriate. 

• Agencies use privacy screens when working outside the office. 

0MB identified risks covering the physical, training, procedural, and information 
security aspects related to network user behavior. Protecting the information and systems 
that the Federal government depends on is important since agencies increasingly rely on 
new technology. In essence, agencies are working to preserve the integrity, reliability, 
availability, and confidentiality of important information while maintaining their 
information systems. The most effective way to protect information and systems is to 
incorporate security into the architecture of each. The best practice techniques described 
above provide a few possible solutions to the many risks presented from the FISMA 
report to overcome computer security deficiencies. 

2. Best Practice Source 2: Common Sense Guide to Cyber Security for 

Small Businesses 

The Common Sense Guide presents the case that small and medium-sized 
businesses are not cyber-immune and have been significantly harmed by various cyber 
attacks in the past. No longer are large corporations and governmental agencies the only 
targets of opportunity. 

Below are the top ten selected best practice techniques selected from Common 
Sense Guide to Cyber Security for Small Business'J^ 

• Use Strong Passwords and Change Them Regularly 

• Look Out for E-mail Attachments and Internet Download Modules 

• Install, Maintain, and Apply Anti-Virus Programs 

• Install and Use a Firewall 
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• Remove Unused Software and User Accounts; Cleanout Everything on 
Replaced Equipment 

• Establish Physical Access Controls for all Computer Equipment 

• Create Backups for Important Elies, Eolders, and Software 

• Keep Current with Software Updates 

• Implement Network Security with Access Control 

• Eimit Access to Sensitive and Confidential Data 

The small business best practice techniques provide the user and respective 
managers the necessary precautions and actions needed to preserve the merit of the 
information within a network and the value of the network itself. The small business best 
practice blueprint covers procedural and informational aspects related to network user 
behavior. 


3. Best Practice Source 3: Build Security in: Training and Awareness 

No best practice rule sets were selected from this source, except for a basic 
principle about target audiences. The Carnegie Mellon University example stressed that 
best practice software security training programs should plan differently for the various 
target audiences. xhe Carnegie Mellon example targeted the senior decision makers, 
engineering managers, and software developers as the three choices for their target 
audience. To employ this model towards the DoD the three target audience choices 
would be: Senior Eeadership (CO/XO), Information/Knowledge Managers and IT staff, 
and lastly the individual users. 


Kenneth Van Wyk, 1-3. 


52 



4. Best Practice Source 4: Common Sense Guide to Prevention and 
Detection of Insider Threats 

The last of the best practice rule sets analyzed was Carnegie Mellon CyLab’s best 
practice techniques to counter and help prevent insider attacks corrupt an information 
infrastructure. Implementation of the following 13 practices will provide an organization 
the defensive measures that could prevent or facilitate early detection of the many insider 
attacks other commercial industries have experienced.^^ Below are the 13 best practices 
for preventing insider attacks: 

• Institute periodic enterprise-wide risk assessments. 

• Institute periodic security awareness training for all employees. 

• Enforce separation of duties and least privilege. 

• Implement strict password and account management policies and practices. 

• Log, monitor, and audit employee online actions. 

• Use extra caution with system administrators and privileged users. 

• Actively defend against malicious code. 

• Use layered defense against remote attacks. 

• Monitor and respond to suspicious or disruptive behavior. 

• Deactivate computer access following termination. 

• Collect and save data for use in investigations. 

• Implement secure backup and recovery processes. 

• Clearly document insider threat controls. 

The Carnegie Mellon best practice techniques provide safety measures and 
actions required to prevent and detect insider threats from within an installation. 
Although these techniques are labeled common sense, they are at times overlooked or 
neglected, thus needing reemphasis and readdressing. The first line of defense from 
insider threats is the employees themselves. Security awareness must be instilled in the 
organization so that all employees understand the need for policies, procedures, and 

Dawn Capelli, 15-16. 
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physical controls. Once again we see that the insider best practice techniques encompass 
the procedural and information security aspects related to network user behaviors. 

5. Information Assurance Best Practice Rule Set 

Based on the previous four examples presented above, a best practice rule set was 
compiled and categorized into four main sub-categories: Physical, Training, 

Informational, and Procedural-User. Within each sub category, the best practices are 
ranked by priority in descending order allowing the network manager to refer to specific 
categories and select best practices to incorporate them into their respective networks. 
Listed below are the categorized lA Best Practice techniques with corresponding 
rankings within each sub-category: 

a. Physical Rule Set 

Physical best practices techniques pertain to the measures needed to 
prevent or deter attackers from accessing a facility or resource. 

• Establish Physical Access Controls for all Computer Equipment 

• Use extra caution with system administrators and privileged users. 

• Review procedures, at least annually, for allowing physical access to buildings 
and specific areas to only those who are authorized. 

b. Training Rule Set 

Training best practice techniques pertain to the measures needed to ensure 
proper and effective training resources are established and/or enforced to protect a 
facility, network or the information it possesses. 

• Provide security training for all personnel upon hiring and at least annually. 
Both initial and refresher training explain acceptable rules of behavior and the 
consequences when rules are not followed. 

• Assess whether training is effective, and adapt training to address changing 
requirements and emerging threats. 
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• Require personnel to sign documentation verifying they completed training, 
track the number of personnel trained, and consider whether training was 
completed when evaluating personnel performance. 

c. Informational Rule Set 

Informational best practice techniques pertain to the measures needed to 
protect the value of the information within a given infrastructure or installation. 

• Consider the public availability of related information as a factor when 
determining how to protect government information. 

• Clearly document insider threat controls. 

• Log all computer-readable data extracts from databases holding sensitive 
information. 

• Maintain an audit log of information accessed or processed remotely, as 
appropriate. 

d. Procedural 

Procedural best practice techniques pertain to the measures needed to 
protect a network through the policies, standards, and procedures imposed daily with 
respect to user roles, responsibilities and behaviors in order to maintain safe working 
network environments. 

• Security controls are tested regularly, and at least annually, to ensure they are 
effective. 

• Institute periodic enterprise-wide risk assessments. 

• Use Strong Passwords and Change Them Regularly. 

• Install, Maintain, and Apply Anti-Virus Programs. 

• Install and Use a Firewall. 

• Implement secure backup and recovery processes. 

• Enforce separation of duties and least privilege. 

• Report suspicious activities and incidents in a timely manner to mitigate harm 

and prevent similar incidents from re-occurring. 
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• Monitor and respond to suspicious or disruptive behavior. 

• Remove Unused Software and User Accounts; Cleanout Everything on 
Replaced Equipment. 

The author recommends knowledge and information managers integrate this 
compiled set of best practice rule into their respective installation’s security plans to 
preserve and maintain a safe working network environment. By dividing the rules into 
four main categories, managers can pick and chose particular rules from individual best 
practice categories or select entire best practice rule sets to incorporate in their respective 
networks or security plans. Either way, managers and/or users now possess a rigid set of 
lA best practice rules to comply with in order to practice and execute first-class 
computer-security work ethics. 

D. RECAP 

Chapter IV of this thesis explored the changes needed to the current DoD 
Information Assurance training program and proposed a revitalized approach to 
strengthen the measures needed to battle the information management dilemma. The 
later half of the Chapter IV introduced the various best practices techniques found in the 
government and commercial industry. Those best practice techniques were further 
divided into four categories covering any DoD and commercial guidelines for network 
security and protection. In Chapter V, the lA best practice techniques along with the 
revitalized lA training approach will be evaluated and validated for its efficiency and 
effectiveness for future operations. Einally, Chapter V will introduce recommendations 
and improvements for any shortcomings determined. 
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V. ANALYSIS, RECOMMENDATIONS AND EVALUATION 

METRICS 


A. INTRODUCTION 

The struggle for information management is a battle that cannot be won 
overnight, or by way of part-time support. Similar to the “long war” (the Global War on 
Terror) we are currently engaged in with terrorist networks, the information dominance 
effort needs to be an “all-hands” endeavor to overcome the information management 
dilemma for the long haul. Thus far in this investigation, many doctrines, standards and 
policies at various levels in the U.S. Government were analyzed in Chapter II, painting a 
clear picture and expressing in great detail the immense challenges information 
management encompasses. Over the past decade, words like “network”, “internet” and 
“cyberspace” have become a common part of many people’s vocabulary and lives. 

In Chapter III, the topic of internet dependency was discussed, illustrating that 
people, especially the citizens of the United States, basically require the full use of the 
internet to fulfill many everyday needs. Today, the network, internet, and cyberspace 
enables people to communicate and accomplish everyday business, purchase 
movie/airline tickets, read newspapers articles or attain assorted bits of information in a 
fraction of the time that previous research efforts required. Unfortunately, cyber¬ 
attackers, both internal and external, have also used these very same three words 
(network, internet, and cyberspace) to corrupt our information and information 
infrastructures or to capture our information in raw form for exploitation purpose. 
Furthermore, Chapter III reported on the ‘poor’ federal computer security grades 
(FISMA), indicating that a recourse was clearly needed. 

Chapter IV explored two viable methods to alleviate these poor grades and 
counter the information management dilemma via the people-organizational route 
(revitalized training and incorporation of “best practice” lessons). Rather than address 
the managers of our information sources and information management systems, this 
investigation chose instead the people-organization element as the target of opportunity 
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with the largest potential return. The first method presented in this investigative study 
was to revitalize the Information Assurance training program while the second method 
set about to incorporate an lA “best practice” technique rule set to help deal with the 
ever-growing challenges of information management. Both solutions were discussed in 
detail in Chapter IV. Chapter V builds on that previous information by seeking to 
illustrate the key features of the four best practice publications analyzed and to both 
establish preferred lA methods and formulate recommendations. Furthermore, Chapter V 
will establish a set of performance metrics to evaluate the two possible solutions and 
introduce any future changes that might emerge or re-attack any related vectors dealing 
with opposition to any deficiencies or shortcomings if and when they should appear. 

B. KEY FEATURES 

1. Publications 

Many publications were examined in this Information Assurance practice 
analysis. Most were informative, most were also somewhat redundant, but the majority 
of all the publications had the primary goal of setting standards and policies to keep 
important networks safe and protected. Unfortunately, the same majority of the 
publications did not begin to address the important topic of establishing acceptable and 
valuable user perspectives towards actually achieving network security. Instead, most 
were designed for the designated authorities or information managers placed in charge of 
maintaining the information flow within the information infrastructure. In the author’s 
opinion, a view restricted to only the manager’s perspective dooms any effort towards 
improved network assurance from the very beginning. True and lasting improved 
network assurance relies on enforcing a set of proven techniques and modifying 
unacceptable user behavior, policy, and procedure through informed Information 
Technology (IT) management and training programs. 

2. Information Assurance Training 

The revitalized approach (described earlier in Chapter IV) to the current lA 

structure prescribed many procedural changes and proposals intended to make certain 
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that lA training was not just another mandatory training exercise. Furthermore, the 
critical information gained via the trainer, even if effective in design and scope, would 
often be forgotten about or ignored until the next year’s training session - because of the 
time frames currently used (i.e. annually). The revitalized approach introduced the 
necessary steps to revive and strengthen training modules. Key features of the proposed 
revitalized lA training model mainly center on the user and organizational involvement, 
both of which are essential elements to program success. The top three features from the 
revitalized training approach are described below: 

a. Feature 1: Comprehension oflA Knowledge 

Past training models did not require feedback or Question and Answer 
sessions. The revitalized approach removes this shortcoming by requiring 10-Question 
Proficiency testing to receive an lA Training certificate. Additionally, feedback 
questions are interjected throughout the annual training to ensure the trainee is actively 
engaged with the training session and grasping the material content. The “90-Day” 
refresher test consists of 5 questions, vice the 10 questions for the annual. Minimum 
score for both annual and quarterly testing is recommended as 80%. 

b. Feature 2: Currency Requirements 

Increasing the currency requirements of the trainee will help to solidify the 
trainee’s knowledge gained from the lA trainer and sustain a nearly continuous level of 
lA proficiency. “90-Day” refresher tests will restore the user knowledge base, stressing 
the day-to-day importance of lA in the workspace. The proposed “90-Day” refreshers 
will occur in concert with required quarterly password changes. In a given year, a user 
will complete one annual trainer and three refreshers, at a minimum. Additional testing 
may occur, at the discretion of the knowledge/information manager. 

c. Feature 3: Consequences for Violations 

Individuals who violate any network procedural standards must face the 
necessary consequences and penalties. Violators will re-accomplish the annual training 
requirement & proficiency testing and lose their network privileges for 3 consecutive 
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workdays, minimum. Repeat offenders will re-accomplish the annual training & testing, 
complete a verbal/oral test with the knowledge/information manager, lose network 
privileges for 10 days minimum and be limited to two 30 minute network sessions daily 
(to get mail and for organizational situational awareness information). 

3. Information Assurance Best Practice Rule Set 

The best practice rule set for Information Assurance is a compilation of the various 
techniques found in the government and civilian sectors. The lA best practices summary 
presented at the end of Chapter IV are identified as designs that will ensure that the 
knowledge/information manager can accomplish Information Management requirements. 
Those requirements include meeting specific security goals and objectives that ensure 
that essential actions are employed by all authorized network users and to safeguard the 
information within his/her respective installation/infrastructure. Inherently, risks and 
vulnerabilities will exist no matter what standards are implemented. Best practices are 
valuable and essential because they reduce these risks to manageable and sustainable 
levels. The compiled lA best practice rule set was divided into 4 groupings: Physical, 
Training, Informational, and Procedural. These four groups are the key features of the 
recommended lA best practices techniques listed below: 

a. Feature 1: Physical Rule Set 

Physical best practices techniques are intended to prevent or deter 
attackers from accessing a facility or critical information resource. Physical rules must 
be established and executed to further protect the confines, resources and the facility from 
potentially hazardous external and insider threats. Procedures relating to physical access 
points should be reviewed periodically and understood by all network users. Additional 
vigilance must be devoted by informed users to contribute to the goal of keeping the 
facility and information safe. 

b. Feature 2: Training Rule Set 

Training best practice techniques are intended to ensure proper and 
effective training resources are established and enforced to protect a facility, network or 
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the information it possesses. Therefore, all users in an organization must understand that 
training policies and procedures exist, that there is good reason for why they exist, that 
they must be strictly enforced - no exceptions, and that there can be serious 
consequences for any infractions. Each user needs to be aware of the organizations 
network information management security policies and the procedural elements related to 
detecting violations, securing vulnerabilities and of reporting incidents. Training must 
not be looked at lightly. All users shall adhere to the rigid training requirements annually 
and quarterly. 


c. Feature 3: Informational Rule Set 

Informational best practice techniques intend to protect the value of the 
information within a given infrastructure or installation. Periodic monitoring and 
auditing provides both the network manager and system user the opportunity to discover 
and investigate suspicious behavior, both internal and external, and to react before serious 
consequences may ensue. 

d. Feature 4: Procedural Rule Set 

Procedural best practice techniques, when properly executed, provide a 
protected network through policies, standards, and procedures put in place to maintain 
safe working network environments. Strict user compliance to the best practice rules and 
treating them as mandatory processes, checklists and procedures will solidify good 
practices and habits throughout an installation. Standards policies and procedures will 
ultimately become everyday common knowledge if the best practice rules are applied and 
enforced daily. 

C. RECOMMENDATIONS 

1. Authorize the Revitalized Approach 

The author of this investigation recommends that instituting the proposed 
revitalized approach toward Information Assurance needs to be implemented now. By 
postponing the revitalized approach, more risks and vulnerabilities become apparent, 
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exposing increased occurrences of holes and weakness in the network infrastructure, 
allowing even more information, and the network infrastructure itself, to possibly be 
compromised. 

From the P-0 aspect, the largest gain from the current dismal report cards for lA 
security effectiveness is expected to come about as a result of changing user behavior. 
Training is one of the time-proven methods that will instill a better understanding and 
awareness of the potential harm people may inflict within an infrastructure or installation. 
Increasing the currency of the training, implementing proficiency tests, and enforcing the 
consequences will ultimately serve to sustain and enhance the user’s lA frame of mind. 
Enhancement includes understanding the user roles/responsibilities for identifying 
potential risks, accessing those risks, and taking action on those risks to thwart any 
impending harm from penetrating the information environment. 

2. Implement lA Best Practice Rule Set 

The author of this investigation also recommends that enforcing the lA best 
practice rule set in unison with the training is needed to improve and reinforce the lA 
infrastructure. From the P-0 perspective, the network users (people) are the basic roots 
and foundation of an efficient security program and in order to demonstrate effectiveness, 
the people need to exhibit 100% compliance towards the lA best practice rules. 
Machines and computers only do what people tell them, or program them, to do. 
Advertising and enforcing the lA best practice rule set can only help promote the need for 
strong procedures and policies for total compliance. By displaying the rules on posters, 
billboards or placards throughout an installation, rules can be frequently reviewed, thus 
battling the information dilemma by all fronts. Additionally, dividing the best practice 
rule set into 4 main sub-categories allows the manager or user to pick and chose specific 
rules from any subset. For example, a user/manager can pick single best practice rules 
from the Physical and/or Training best practice rule set and then incorporate them into 
his/her daily practice. Additionally, the user/manager can also select a complete rule set 
(like Procedural) to then incorporate into his/her daily practice as conditions require. 
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Utilizing both methods (training and best practice methods) can help reduce the 
amount of incidents. Additionally, both of these methods can decrease the amount of 
information lost to an incident as well as the possible financial losses. From the FBI’s 
2007 Internet Crime Report, incidents cost the government $198,440,000 in 2006 and 
$239,090,000 in 2001 This is a far cry from the 2001 figures of $17,800,000. To get 
back to acceptable & manageable trends, or to significantly reduce the damaging 
financial impact on an organization, security measures must be instilled now. 

D. SAFE-USER MODEL 

The Safe-User Model is the combination of both recommended methods 
(revitalized lA training and the lA best practice rule set) in order to provide the People 
and the Organization the necessary tools and resources to therefore achieve Safe-User 
awareness, behaviors and habit patterns. The Safe-User Model illustrates that full 
integration of both techniques is the optimal approach for success. Below, training is 
denoted as Yellow and the best practice rules are denoted Blue. Utilizing both methods 
completely and in unison will allow both input circles to merge together (go green) and 
ultimately infuse solid lA principles throughout an installation or infrastructure. By 
implementing both inputs of the Safe-User Model, knowledge & information managers 
will eventually reach the safe “green” zone, thus overcoming the P-0 influence with 
respect to computer/information security. 


Internet Crime Complaint Center (IC^), 2007 Internet Crime Report, 3. 
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Figures. Safe-User Model 


E. VALIDATION OF THE RECOMMENDATIONS 

From the recommendations described above, validation measures need to be 
devised to measure and track if the safe-user model (revitalized annual training 
complemented with wholesale adoption of best practice methods) discussed are properly 
functioning. These validation metrics are used to measure the effectiveness of the lA 
training and the implementation procedure of the best practice lA rule set. The metrics 
are designed to be instituted on a yearly basis. 

To clarify, the compliance measures, similar to the FISMA reports, need to 
evaluate the training and best practices methods on a yearly basis in order to determine if 
issues need to be readdressed or re-attacked to achieve information dominance goals and 
expectations. Of note, year one measurement results will act as the baseline results for 
validation for all subsequent years, due to the fact that no measures, except for 
compliance, may have been measured in years past. 
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Validation Metrics 


The overall goal of the validation metrics is to monitor the trends (positive or 
negative) in computer security compliance with respect to Information Assurance. 
Without this data, there is no feedback available on effectiveness. The following metrics 
(refer to Table 8) are proposed in order to validate and measure the effectiveness of the 
revitalized training mechanism and lA best practice techniques. 

The evaluation criteria for each of these validation metrics are numerically based. 
Quantitative data is recommended to support tracking the various categories listed and 
the results will be scorecard documented on a yearly basis. Year one results, as 
mentioned above, will establish the baseline figures for follow-on years to be further 
compared and contrasted with. Categories range from the number of incidents, average 
days to complete either trainer, number of violators, to the commonly violated best 
practice rules. All measures are to be reported at the organization level, and then to the 
installations parent command and ultimately rolled-up and disclosed to the Office and 
Management and Budget via the annual FISMA report. 

The validation metrics will test all groups associated with the DoD and the 
various governmental agencies. This includes military personnel, civilian employees and 
government contractors. For the “all-hands” effort to be successful towards improving 
and maintaining computer security, no group will be left untested. No exceptions. 
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Below, Table 8 displays the metrics to be used on a yearly basis to measure the 
Information Assurance performance levels from one year to the next. 


Metrics of Validation 


CATEGORY 

200X 

200Y 

Information Assurance Trainer 

NUMBER OF: 



Personnel in command 



Personnel Trained 



Incidents Reported Total 



Yearly 



Monthly 



Weekly 



Users Who Completed Training 



Within 3 days 



4 - 7 days 



Over 7 days 



Users Who Failed the Annual Test on First Attempt 



Violators 



Repeat Violators 



Users Exceeding 5 Failures on Refresher 



Month With Most No. of Incidents 



AVERAGE: 



Score of Annual lA Test 



Attempts to Complete Annual lA Trainer 



Attempts to Complete Refresher Test 



Time in Minutes to Complete Annual Trainer 



Best Practice Rules 

No. of Users in Violation of Best Practice Rule Set 



No. of Incidents Reported Total 



Yearly 



Monthly 



Weekly 



Quarter With Most No. of Incidents 



Are Best Practice Rule Sets Openly Displayed ( YES or NO) 



Best Practice Rules Commonly Violated 



***Separate Report to specify Rule No. and # of Times violated 




Table 9. Metrics for Validation 
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For example, if a command reported 14 incidents in the year 2007 and then 
reported 9 incidents in 2008, the metrics report shows a negative trend for incidents. This 
is good. However, if 16 incidents were then reported for 2009, the manager and 
command leadership would become aware of this rising trend and therefore look for 
remedies to neutralize the increase. Additionally, these metrics, along with all other 
installations, would be compiled and critically examined to determine if changes to the 
lA training or lA best practices are overlooking any aspect with respect to Information 
Assurance. Perhaps, the proposed metrics themselves would evolve over time into even 
better indicators and thru usage and review collapse to a more optimal list than those 
chosen for lA program startup. 

2. Proposed Acceptance Criteria 

For lA training to be effective, no users should exceed 7 days for completion of 
the training program. As the initial year progresses, the results for violations and 
incidents should see steady decreases from start-up values. Next, average annual test 
results should aim for an average grade of 90%, well above the 80% minimum threshold 
in order to ensure threshold level proficiencies. Additionally, the average number of 
attempts for completion should strive to be as close to one (1) as possible. For best 
practice metrics, users in violation and incidents should again see steady decreases. If 
increases are measured, increasing consequences and more stringent enforcement of the 
best practice rule set is required via managers and re-vectoring may be required. Finally, 
tracking the best practice rules commonly violated leads to a need for supplemental 
tracking reports and/or supplemental training requirements. Supplemental tracking 
reports will state which best practice rule was violated with the associated number of 
violations. Additionally, the remediation actions employed by the manager should be 
noted and assessed if positive outcomes were achieved. The manager would therefore 
track all violations/incidents, describe the remediation action employed, and document if 
the violator or incident was resolved in a timely manner. Reports would then be 
submitted to the installations parent command and ultimately rolled-up and disclosed to 
the Office and Management and Budget via the annual FISMA report. 
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F. POSSIBLE SHORTCOMINGS 

One possible shortcoming is the adequacy of the pool of available questions. If 
the question bank remains constant, users will eventually memorize the answers. If the 
requirements change, then the existing pool of questions may be out-dated. Changing the 
verbiage of the questions is needed to infuse fundamentals are tested not memorization 
skills and to ensure relevancy. Another possible shortcoming is if the senior leadership 
does not fully support the revitalized lA training changes and the “90-Day” refresher 
tests. In this case, command leadership must understand that poor practices within their 
commands could spawn risks to other installation and create a far more problem than 
intended. Commands need to understand that information security is an “all hands” 
effort, not a singular effort. Third, if consequences are not changing the bad habits of 
those repeat violators, escalation will be required. One solution may be to revoke all 
network privileges and force extra duty days and criminal prosecution. Only under direct 
supervision may the ‘repeat’ repeat offender be allowed to check official work related 
emails. Bottom Line: Because of the potential consequence, network security violations 
should be viewed in the same light as all other legal or procedural standard practices. 

G. RECAP 

As the internet continues to grow, so do the associated risks and vulnerabilities. 
Safe-User models and measures, like improved training standards and best practice 
techniques, are good beginnings, but performance metrics and evaluations need to be 
incorporated to further counteract the actions of internal and external threats. Chapter V 
provided recommendations toward information/computer security using the two methods 
described in Chapter IV with respect to the P-0 aspect. The Safe-User model illustrated 
how both lA elements are needed in order to overcome the P-0 influence with respect to 
computer/information security. 

Additionally, validation standards of the revitalized approach to lA training and 
the lA best practice rule sets were introduced for validation purposes. The metrics format 
presented allows for progress to be measured on a yearly basis. Furthermore, exploring 
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possible re-attack vectors may be needed if shortcomings arise. Finally, these possible 
shortcomings were discussed and possible means to correct the issues were presented. To 
conclude, Chapter VI provides conclusions and recommendations for future areas of 
research and suggestions to counter any other possible shortcomings resulting from the 
described Safe-User model. 

The people are the root for overall success. Effectively training the people, 
enforcing best practices in their daily routine, and implementing strict consequences will 
in due course convince the people and organization to become cyber advocates against 
cyber crimes and threats. 


69 



THIS PAGE INTENTIONALLY LEET BLANK 


70 



VI. CONCLUSION 


A. SUMMARY 

This investigation researched and analyzed an excessive amount of documents 
and publications regarding network security, information security, and information 
assurance. Resources ranged from the government sector to the civilian. This analysis 
concluded that the vast amount of knowledge available is not particularly directed 
towards the user roles, responsibilities and behaviors. Instead, the majority is “top level” 
and intended for the knowledge or information managers who maintain and preserve the 
critical flow of information over the rapidly expanding information networks. Guidance 
and strategic goals for network security were delineated from The President’s National 
Strategy to Secure Cyberspace, as this thesis paid particular attention to engage the 
security awareness and training program dilemma with respect to the people- 
organizational aspect. 

The analysis then explored the people’s (the user) resounding dependency of the 
internet to communicate and attain information. The value of information cannot be 
overlooked or underestimated. Speed, accuracy, usability, relevance and content are a 
few of the information quality characteristics desired by most.^^ Next, the analysis 
examined the surprisingly poor results of 0MB’s annual FISMA report, denoting the 
major flaws and discrepancies found throughout the federal government. Potential for 
improving computer security was evident and attainable if properly addressed. Computer 
and information security has, is and will be a major concern for any installation or 
infrastructure, civilian or governmental. 

This investigation then brainstormed various means and methods to overcome the 
poor FISMA security grades. The selected courses of action ultimately designated the 
people and organizational procedure aspect as the target of opportunity utilizing a 
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“bottom up” approach. The findings determined that current Information Assurance 
training standards needed to be revitalized in conjunction with the establishment an lA 
best practice rules set to incorporate through the DoD. 

The investigation then analyzed the two selected methods (a revitalized lA 
training approach and an lA best practice rules set) and thus recommended that both 
methods need to be implemented sooner rather than later, with the hope of opposing any 
cyber risks or vulnerabilities that an information infrastructure may have encountered. 
These two recommended methods are the primary inputs for the Safe-User model 
introduced in Chapter V. Next, the analysis evaluated and validated the efficiency and 
effectiveness for both the lA best practice rules set and the revitalized lA training 
approach. Candidate validation metrics were then developed to further justify that the 
two proposed methods need to be fully integrated in all DoD installations security 
policies & plans to enhance information management and augment network security. 

B. SUGGESTIONS FOR FUTURE RESEARCH 

1. Certification and Accreditation 

There needs to be research conducted to examine the best way of certifying and 
accrediting the revitalized lA training approach and lA best practice rules set. 
The results of such a research project would allow for the two proposed methods 
to be further executed and tested in order to determine if the DoD does indeed 
need refinement in the lA training department. 

2. Develop Measures 

Develop measures of effectiveness and performance to quantify that the lA 
revitalized approach and the lA best practice rule set can provide the necessary 
levels of assurance. 
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3. 


Evaluate the Validation 


Develop a pre-evaluation metrics prior to the first year validation results of the 
revitalized lA training approach and lA best practice rules set. Rather than 
waiting one year to establish the baseline figures, develop a quarterly-based 
investigation to provide threshold values for the yearly validation assessments. 

4. OPSEC Model 

Develop a similar model to further enhance and improve user and organizational 
awareness towards understanding the magnitude and significance of 
Operations Security (OPSEC) in mission critical operations. 
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APPENDIX 


lA TRAINING SAMPLE QUESTIONS 


The following list provides the 25 sample questions, for both annual and refresher 
tests, to be incorporated into the revitalized Information Assurance Awareness Training. 
Source data for the questions are derived from the annual DoD lA Trainer^6 and the 
CISSP All in One Handbook.^^ The format of the questions will be either multiple 
choice or True/False. 

1) Multiple Choice: What is the definition of Information Assurance? Measures 
that protect and defend information systems by ensuring their availability, 
integrity, confidentiality, authentication, and non-repudiation. These 
measures include providing for restoration of information systems by 
incorporating protection, detection, and reaction capabilities. 

2) Multiple Choice: What does the acronym C.I.A stand for with respect to 
information Assurance? Confidentiality, Integrity, and Availability. 

3) True or False: INFOCON 5 is described as Maximum Readiness/Significant 
impact of system availability? Answer is False, INFOCON 1 is described 
above. 

4) Multiple Choice: What document requires government employees and 
contractors to undergo periodic computer security training? FISMA (Federal 
Information Security Management Act. 

5) Multiple Choice: What is the common method used to inject malicious code 
into an information infrastructure? Email. 

6) Multiple Choice: What are examples of malicious code? Virus, Worm, and 
Trojan Horses, and logic bombs are examples of malicious code. 

1) True of False: Only network mangers are liable in enforcing Information 
Assurance? Every user is responsible. 

8) Multiple Choice: What is a Denial of Service? Any action, or series of 
actions, that prevents a system or its resources, from functioning in 
accordance with its intended purpose. 


DoD Information Assurance, Training Notes. 

Shon Harris, Certified Information Systems Security Professional (CISSP): All in One Exam 
Guide: Third Edition. New York. 2005. 
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9) Multiple Choice: Define Threat? Any potential danger to information or 
systems? 

10) Multiple Choice: Define Vulnerability? A software, hardware, or procedural 
weakness that may provide an attacker the open door he/she is looking for to 
enter a computer or network and have unauthorized access to resources with 
the environment. 

11) Multiple Choice: Define Risk? The likelihood of a threat agent taking 
advantage of a vulnerability. Also described as the loss potential, or 
probability, that a threat will exploit a vulnerability. 


12) Multiple Choice: Define Exposure? An instance of being exposed to losses 
from a threat. 

13) True of False: The Critical Infrastructure Protection (CIP) includes Energy, 
Water, Banking, Information Technology & Telecommunication, Emergency 
Services and Transportation & Border Security? True. 

14) Multiple Choice: What is confidentiality? A security principle that works to 
ensure that information is not disclosed to unauthorized subjects. 

15) Multiple Choice: What is integrity? A security principle that makes sure that 
information and systems are not modified maliciously or accidentally. 

16) Multiple Choice: What is availability? The reliability and accessibility of 
data and resources to authorized individuals in a timely manner. 

17) Multiple Choice: What is more dangerous, an insider/intemal threat or 
outsider/external threat? Insider/internal threat. 

18) Multiple Choice: From the two human threat categories (insider/internal or 
outsider/extemal), who causes harm by lack of training/awareness? 
Insider/internal threat. 

19) Multiple Choice: From the two human threat categories (insider/internal or 
outsider/external), who utilizes sophisticated software to identify a systems 
security weaknesses? Outsider/external threat. 

20) Multiple Choice: What is an attack? An attempt to bypass security controls 
in a system with the mission of using that system or compromising it. 

21) Multiple Choice: What is a social engineering element of information 
assurance? The act of tricking another person into providing confidential 
information by posing as an individual who is authorized to receive that 
information. 
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22) Multiple Choice: What is another name for a countermeasure? Safeguard. 

23) Multiple Choice: What ensures that no single person has total control over an 
activity or task? Separation of duties. 

24) True or False: Information Risk Management is a statement by management 
dictating the role security plays on the organization? False, a security policy 
dictates this role. 

25) True or False: By completing this training, you have a better understanding 
of Information Assurance and the roles and responsibilities the user needs to 
demonstrate? Flopefully True. 
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